Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 66d53ee48b1c64c2…

MALICIOUS

Office (OLE) / .XLS

475.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-08
MD5: 5f39f481626a012a8e42f5e71d46159e SHA-1: 0a808fdd5093d8d53930a0d449b8669ac99d9290 SHA-256: 66d53ee48b1c64c2ecf5a7a94799c96e98fe04e90f19f7066d23b158de76cbcd
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols: HTTP T1140 Deobfuscate/Decode Files or Information

The sample is a macro-enabled Excel file that utilizes VBA to construct and execute a command. The VBA code concatenates strings from worksheet cells and environment variables to form a command that appears to download and execute a second-stage payload. Specifically, it uses GetObject to interact with a worksheet range and then attempts to execute a file named 'YJoCs.bat' from the AppData directory. The critical heuristic 'OLE_VBA_CELL_GETOBJECT_EXEC' strongly indicates this behavior.

Heuristics 4

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
12f2f4966af06573236f3732e01fc1eeb7c9eeface9e56a9f258ab48f510807e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.