Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7b0093ab95f1f771…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-05
MD5: 78815c303582c4095ec7c79e89f9aaf1 SHA-1: e7f914da75e8d06f7b84088e4dec8949bcee9afa SHA-256: 7b0093ab95f1f77158ba4493cde35d433e2ffde2bbe45bb4568982447046e333
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is a macro-enabled Excel file containing VBA code. The Workbook_Deactivate subroutine concatenates text from cells C4 and C5, then passes this combined string to the zjykrB function. The zjykrB function constructs a command by prepending 'P' to text from cell C6 and appending the concatenated string from C4/C5. It then calls the klsad function, which uses GetObject to instantiate a WScript.Shell object, and executes the constructed command. This indicates the macro is designed to run arbitrary commands, likely to download and execute a second-stage payload.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7b6874d0f95b64025262d6636e36eadf33013404df5538603825a43ec66726a1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1129 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.