Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6e2eeee891aac7ca…

MALICIOUS

Office (OLE) / .XLS

35.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 2e63528e29f40de6e04b102e14322205 SHA-1: 306894a5162f7425c7c2efc0492fed87ce88f247 SHA-256: 6e2eeee891aac7ca4db3ee3cbc70b345689207cc0ecca2e3d9603e4eb3d3fe56
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an Excel file containing obfuscated VBA macros. The macros reassemble a dangerous API name and use GetObject to execute a downloaded second-stage payload. The reconstructed URL is http://fundhubusab.com/fund/busa/Protected Client.vbs, which is then executed as notepad.vbs.

Heuristics 3

  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
765378be297c4b3623a3f3d95bcae67c367fc70fa4e2c3c16be5760a47facbf2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1246 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.