Office (OLE) malware analysis — malicious · 7670c8a6076600df

MALICIOUS

Office (OLE)

826.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel

MD5: 852293014535b9a062357c71a6cccf51 SHA-1: 0cb93391ebc144b3cb484157717446f4a4bfb700 SHA-256: 7670c8a6076600df6d9bbc68d099371e12f9609c0f256cd00d97714b1e22320d

182 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1129 Execution through API

The file is an Office document containing VBA macros. Heuristics indicate the presence of CreateObject and CallByName functions, commonly used for malicious purposes. The document body instructs the user to enable macros, a typical lure for macro-based malware. The VBA script attempts to write data to 'C:\Users\Public\Documents\load.txt', suggesting it may be part of a downloader or dropper mechanism.

Heuristics 6

ClamAV: Xls.Malware.Exvk-9785252-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Exvk-9785252-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `431b5eeffb7b3dac7e5f3fa28ab3ad5c6246b2262314050ad4709f6f7eef07c8`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3818 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.