Malicious Office (OLE) / .XLS — malware analysis report

Heuristics 10

• Shell() call in VBA critical OLE_VBA_SHELL
  Shell() call in VBA
• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• Workbook_Open macro high OLE_VBA_WBOPEN
  Workbook_Open macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1�

  • https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
  • https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download�
  • https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

Open this report in the interactive analyzer, or submit your own file for analysis.