Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6a8ebc0b2656ab81…

MALICIOUS

Office (OLE) / .XLS

479.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-05-03
MD5: f081478be2867b7c8ac098660804a426 SHA-1: f70d0345f02dc0170256ee774d59391a43696554 SHA-256: 6a8ebc0b2656ab81b238d306378bee9dd4cb6345feebd574f35c824108191ef5
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_VBA_CELL_GETOBJECT_EXEC' indicates that the VBA macros instantiate and execute content from worksheet cells, a common technique for dropping and running malicious payloads. The presence of VBA macros and the GetObject call further support this. The script itself is heavily commented out with 'MsgBox' calls, suggesting obfuscation or incomplete analysis, but the underlying structure points to execution of external code.

Heuristics 4

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
450e42af12982a549be38bf5c173c1b78658e7dfa2674d65399c772815e6b683		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3434 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.