Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6ea504859dafb477…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-28
MD5: c8ca268ff29389fa0c0d2df4af7eeba6 SHA-1: 83706ebb950281641dc61b6f23b34144dfb58f1a SHA-256: 6ea504859dafb477ac16b815e303fc121472298e1cbde707bf292b3432ec20e1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic indicates that VBA code within the Excel file instantiates and executes content from worksheet cells. The Workbook_Deactivate event triggers a function that concatenates strings from cell notes (C4, C5) and uses GetObject to instantiate 'wscript.shell' (from C7) to execute the combined string. This strongly suggests the macro is designed to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 3

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b25dd9ad9a86c47f771c65bbd0d69ad620d8c6b413fba91c6a562a6db7e09f24		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1141 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.