Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 72a01610de72cacd…

MALICIOUS

Office (OLE) / .XLS

34.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-02
MD5: f9a52f97a41cc1955fbfedbcf2ac2479 SHA-1: f93d6da01e440b17694b1b20fced1b9d314360a9 SHA-256: 72a01610de72cacddef9297c415389d17ae9069d74ce742171ce3be65b27366b
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The VBA macro code contains calls to ShellExecute and GetObject, indicating an attempt to execute external code. The script attempts to paste an embedded object into a folder specified by an environment variable, and then opens a file named 'LCSSW.js'. This suggests the macro is designed to download and execute a second-stage payload, likely JavaScript, from a location determined by the environment. The presence of PowerShell references further supports the execution of external commands.

Heuristics 6

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
56d7a58d91d265ee98f03df32695ed97a8e86e7d6c2c28f971c7530e10bcd205		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1269 bytes
ole10native_00.bin
44bf214f141b80e6f53014cdd215d5fc6080ee27b92d4571dcc859eae09d2efb		 ole-package OLE Ole10Native stream: MBD0086678C/Ole10Native 1092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.