Office (OOXML) / .OLE malware analysis — malicious · 6af7c4272c9cc158

MALICIOUS

Office (OOXML) / .OLE

88.7 KB Created: 2020-05-14 05:20:27 UTC Authoring application: Microsoft Excel 16.0300

MD5: 1e9afee600fe145e749f0e82069c71c0 SHA-1: 796a3de9aba74836337623b9c2d63d1e4e5878dc SHA-256: 6af7c4272c9cc1580dbb06b5be4b5c97d1df64c3a9ca45de6fac8bd081f70c93

268 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Workbook_Open macro that uses a character-shift decoding function to construct and execute a command via Shell(). The decoded command appears to be a path to an executable file, likely a second-stage payload. The macro also attempts to create an Excel application object and wait for 10 seconds before executing another Shell command, potentially to delay detection or allow the first payload to establish itself. The decoded executable path is C:\Users\Public\gŠ�†�‚Ž†O†™†HJ.exe, and the second Shell command executes C:\Users\Public\AN†™†„–•Š��‘��Š„šAƒš‘‚””ANxAiŠ……†�AN„�ŽŽ‚�…AI�†˜N�ƒ‹†„•Atš”•†ŽOo†•Ox†ƒd�Š†�•JOe�˜��‚…gŠ�†IH‰••‘[PP‘��‚‚‚…†•‚…‡O�“ˆP“†„†Š‘•O†™†HME†�—[u†Ž‘LH}gŠ�†�‚Ž†O†™†HJ.exe.

Heuristics 7

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELL

VBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2e6c2fccca85b422c7d3e90441f527e6397ea19a34f0b630a4f6f9225539858b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1529 bytes
`vbaProject_00.bin` `a75c5ab4bfb8ac73be9ba1e1bc69c041d317ca39cdf00a489a5af65b0c24ddf3`	vba-project	OOXML VBA project: xl/vbaProject.bin	14848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.