Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 66736be753a7e6b4…

MALICIOUS

Office (OLE) / .XLS

208.5 KB Created: 1997-11-24 11:24:22 Authoring application: Microsoft Excel
MD5: 9dd977acbec3e4add825e77f7eff4640 SHA-1: 92fca29abc107bd0e2fae69548090076078832d2 SHA-256: 66736be753a7e6b4996e6089e6766ec875c63b52b3ed6d0318f1d72528b2d764
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel file containing VBA macros and an embedded PE executable. The VBA macros likely facilitate the execution of the embedded executable, which is a common technique for malware delivery. Heuristics indicate the use of WinExec, CreateProcess, LoadLibrary, and GetProcAddress APIs, further supporting the execution of a payload.

Heuristics 6

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
12691f3b8f7de9843a8fb8293ad43fded32e9770add0a5d7025ac5f977afc0bd		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2163 bytes
embedded_office_0002d562.exe
489cac0666db3fcb8e5aa8ec4259fe34b03e79015191439a24c63b1d66d55968		 embedded-pe Office MZ+PE at offset 0x2D562 27806 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.