Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6cfe913eaec6923c…

MALICIOUS

Office (OLE) / .XLS

132.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-03
MD5: d010c580de9bc00bb669e61b42e6200f SHA-1: 6eed21ebfd7148a1d996dfa7a90940d1bc3596af SHA-256: 6cfe913eaec6923caf09a2071997e0c3904776c476c0981acc2ab8189c6c5eb4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic 'OLE_VBA_CELL_GETOBJECT_EXEC' indicates that VBA code is executing content from worksheet cells. The VBA script uses 'GetObject' and 'InvokeVerb "Paste"' to interact with embedded objects, and then attempts to open a file named 'SbYKO.js' from a path derived from the Environ() function, likely 'C:\Users\Public'. This script's intent is to download and execute a second-stage JavaScript payload, which is then executed by the system.

Heuristics 4

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
97d1cc691f782b4ead9a79946417f330caf0c991dfc9ac6bceaea3890fa4a8ca		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1269 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.