Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 685443eaa876fa33…

MALICIOUS

Office (OLE) / .XLS

24.0 KB Created: 2005-01-21 15:48:24 Authoring application: Microsoft Excel
MD5: b98df5cff13bb8fad2db522365768605 SHA-1: 0b13b3b1354508f387497c8fff2489ab85f31d01 SHA-256: 685443eaa876fa3325394786b213359f2d41e80d5a87569b5a3a860f7baaaf93
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an XLS file containing VBA macros, with a high-confidence heuristic indicating an Auto_Open macro. The VBA code attempts to copy and save the workbook as 'FirstGo.XLS' in the application's startup path, suggesting an attempt at persistence. The presence of an embedded PE executable is noted but not directly acted upon by the visible VBA code.

Heuristics 4

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Embedded PE executable high OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1469a5c64195db7565ed6c5e9fe14365f396f97b1147c46fbdd1bb9b03530683		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 19064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.