Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 799a710d18cae159…

MALICIOUS

Office (OLE) / .XLS

3.21 MB Created: 2010-05-25 11:09:35 Authoring application: Microsoft Excel
MD5: 116d0febe3a8345aa5170d17d498bbeb SHA-1: 21aa51ac074a1687a4e4360d1bb2be029ecaf9ba SHA-256: 799a710d18cae1594fe213437f2c89bce24a60594c5c88e0e0959779eb19c5d6
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1037.001 Boot or Logon Initialization: Registry Run Keys / Startup Folder

The sample is an Excel file containing a Workbook_Open VBA macro, which is a common technique for executing malicious code automatically when the document is opened. The macro likely attempts to download and execute a second-stage payload, indicated by the CreateObject and ShellExecute API calls. The presence of an Equation Editor OLE object also suggests a potential exploit vector. The document body content appears to be related to calibration certificates, which could be used as a lure.

Heuristics 8

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.excelguru.ca/node/21#MultiSingle
    • http://www.exceltip.com/st/Copy_modules_from_one_workbook_to_another_using_VBA_in_Microsoft_Excel/501.html
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://www.iec.ch
    • http://sourceforge.net/projects/pdfcreator/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a5d635a0ca797d0af4a8dd83be963b6441ea820350247e021ebd995f64e75d65		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 163981 bytes
ole10native_00.bin
2a5e78e1bcf929b5cfe66df8c699eff7018dc7785754f6e5a2a180e015ff312e		 ole-package OLE Ole10Native stream: MBD000D93B3/Ole10Native 842724 bytes
ole10native_01.bin
4820bb9ba3633786cc4ee2acf34577d0858e85070bcb7c4264b98d2eff449629		 ole-package OLE Ole10Native stream: MBD000D93B4/Ole10Native 23268 bytes
ole10native_02.bin
703b9704e6e5a2fb2479d5ffb1ea5c2f2ed15186304bb35129ae9eab82cc1316		 ole-package OLE Ole10Native stream: MBD000D93B5/Ole10Native 26756 bytes
ole10native_03.bin
8f04c276b201e35a2acfc9d714ac136e8e9323f16506d6602dd23105133b2660		 ole-package OLE Ole10Native stream: MBD000D93B6/Ole10Native 435684 bytes
ole10native_04.bin
f40b77f3c4c2467604fd081c7c3d597b60972b3d858f182ae82f3c58424fefb5		 ole-package OLE Ole10Native stream: MBD000D93B7/Ole10Native 28484 bytes
ole10native_05.bin
3205ede8c1883c83cec866e89565206f03ea307b546be6580f0559f883029f06		 ole-package OLE Ole10Native stream: MBD000D93B8/Ole10Native 12612 bytes
ole10native_06.bin
f7cdab33e372cf7519621cc9d59ebb0a43236078b3220d8837aa35400858be58		 ole-package OLE Ole10Native stream: MBD000D93B9/Ole10Native 40260 bytes
ole10native_07.bin
9ce3b426c114f8e5b06abfb651d52705d20a2c4ba1cfc862f8bcd35e39f5d8d5		 ole-package OLE Ole10Native stream: MBD000D93BA/Ole10Native 132324 bytes
ole10native_08.bin
f5b7391dfe76809023982a0f52b1242ed5e021f5a505c299f5bd2f7f2ab1d832		 ole-package OLE Ole10Native stream: MBD000D93BB/Ole10Native 16004 bytes
ole10native_09.bin
f113c54d0af22a7ac485793becb6b5804e6db4ebd5ccde0d89b5124f62c9aefc		 ole-package OLE Ole10Native stream: MBD000D93BC/Ole10Native 25476 bytes
ole10native_10.bin
590aa50537b9ea92e27d88fed193a9e295924cd1694a615dd4a01cb8498d9c20		 ole-package OLE Ole10Native stream: MBD000E03B2/Ole10Native 233540 bytes
ole10native_11.bin
be3bf10ae78ec693fb702fd8d49b5e1a12212b9c98d6d579c80581acf7acbf40		 ole-package OLE Ole10Native stream: MBD000E343D/Ole10Native 46948 bytes
ole10native_12.bin
ee944beafddbcc1de17c18f85f274ae9be571ea0004e1fd4178bc9c5abefa1c3		 ole-package OLE Ole10Native stream: MBD000E4111/Ole10Native 354308 bytes
ole10native_13.bin
4138dca78a6eabb3fc3732906f0d1cd314a212b73999f975de476395e0034101		 ole-package OLE Ole10Native stream: MBD000E48D7/Ole10Native 52836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.