Office (OLE) / .XLS malware analysis — malicious · 64a5aff19f604d1b

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-28

MD5: c98b591045254c2718c745c12be14666 SHA-1: b359945a78debbe15636833481e99854086ba44d SHA-256: 64a5aff19f604d1b5a446e7c8f21c78d0920584f7a18ee09606967e070b169c2

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1218.011 Signed Binary Proxy Execution: Rundll32

The critical heuristic indicates that VBA code is executing content from worksheet cells, specifically using GetObject to instantiate and run code. The VBA macro concatenates strings from cell notes to construct and execute a command, likely downloading and running a second-stage payload. The specific command constructed is not fully visible due to variable cell references, but the mechanism points to a macro-based downloader.

Heuristics 3

VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC

VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2318e053a869f88efdb9f67b4ecd4b83d56f945d298ddcb0d299ffe305bfb58f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1129 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.