Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7b9877d96a65e30f…

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-25
MD5: 648a7a96afeb8f3242a9937e69a8521f SHA-1: 2df7320a3ee720964d92898d285cf28f422c9f23 SHA-256: 7b9877d96a65e30f15a60b93223b0adeae6ccdf391e33e4b5a584e48ca30318d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains obfuscated PowerShell code that attempts to download a VBScript from 'http://mochagean.com/gniew/protector/Client.vbs' and save it as 'notepad.vbs' in the temporary directory. The PowerShell command is constructed by concatenating reversed strings and references to Excel sheet properties, indicating an attempt to evade detection. The macro also uses CreateObject to execute this downloaded payload.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a8634d2e56a0d5944a4f4f73baf6f3f925e68e6dda561afc0dc02c8711868273		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1377 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.