Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7d2277ac2842145d…

MALICIOUS

Office (OLE) / .XLS

32.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-03
MD5: 8ea6253017bf0ad47a82b7c2962bd585 SHA-1: a7ca2b9293cd4871c2dc7fb4a9bbaaed7bcadb15 SHA-256: 7d2277ac2842145d229f31429d8d372c12306363f65cb73b390703f1e0eb95a5
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains VBA macros that leverage `GetObject` and `CreateObject` to construct and execute a batch script. The script is designed to create a file named 'Jasfu.bat' in the user's profile directory, which likely serves as a downloader for a second-stage payload. The `GetObject` call with the string 'new:13709620-C279-11CE-A49E-444553540000' suggests an attempt to interact with a specific COM object for execution.

Heuristics 5

  • VBA instantiates/executes content from worksheet cells critical OLE_VBA_CELL_GETOBJECT_EXEC
    VBA passes a worksheet cell/comment reference to GetObject and drives an Exec/Open/Run sink. Malware hides the COM moniker and command in cell data so the macro source carries no literal indicators.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6cf65da953df71fe3e243965d30461fb55bcf89568e06fbacd62ae70217615e1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.