Malicious Office (OLE) / .XLA — malware analysis report

Static analysis result for SHA-256 6d6a718c66e29949…

MALICIOUS

Office (OLE) / .XLA

723.5 KB Created: 2006-04-09 22:00:00 Authoring application: Microsoft Excel
MD5: c074db2e1719f8f4dd9fa6c2aae6967d SHA-1: 6a19833cbf59d4ee12775f3d6dadf8c22fa2f85d SHA-256: 6d6a718c66e29949a2882e4bba33785374ac3864b90ecbd59c8277c0be5492d0
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment T1082 System Information Discovery

The file is an Excel macro-enabled workbook (XLA) containing VBA code that triggers Auto_Open and Auto_Close macros. Heuristics indicate exploitation of CVE-2012-0158 and CVE-2012-1856, and the use of ShellExecute, suggesting it attempts to execute arbitrary code. The VBA script also contains references to closing workbooks and saving protocols, and includes embedded URLs, indicating a potential downloader or exploit delivery mechanism.

Heuristics 10

  • MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856
    MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.marusoft.de
    • http://www.marusoft.de/faq.htm

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e59f0bf7e9d695dbf66a0e105978033490f1d328185be258e9597ccbf9fc09bb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 138435 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.