Malicious Office (OLE) / .XLA — malware analysis report

Static analysis result for SHA-256 660f63260df8ac20…

MALICIOUS

Office (OLE) / .XLA

573.5 KB Created: 2003-07-09 16:59:49 Authoring application: Microsoft Excel
MD5: faf24c0e54a64d600b584a36b86f83c0 SHA-1: 4a894db2bcf0d0c3ff77149eb014831e5694b872 SHA-256: 660f63260df8ac20d6b5c2ae074b584fd24c8a1e14f190d2586061e133734efa
310 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

This Excel macro-enabled workbook (XLA) contains Auto_Open and Auto_Close macros, indicating immediate execution upon opening or closing. The critical OLE_VBA_SHELL heuristic firing, along with a Shell() call in the VBA code, suggests the execution of an external program. Specifically, the script attempts to run 'C:\EPLAN4\540\EPL6000.EXE /$EPL6001 /PC:\Eplan4\P\' which is likely a downloader or initial execution vector for a secondary payload.

Heuristics 10

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://Eplan5-Tools.heim.at
    • http://www.Eplan5-Tools.de.vu

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
52209dd33b2a97d5165bc92b6159319d6dc15728eed122a7722b7816a8796d32		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 290424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.