Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 8057d3ff1039d59d…

MALICIOUS

Office (OLE) / .XLSX

4.76 MB Created: 2006-11-08 15:21:05 Authoring application: Microsoft Excel First seen: 2023-01-31
MD5: 66182b63d16f5bc7ad136d5638d22d37 SHA-1: 4793e36ae1c4bbe2c9bcad789ffb1aabefa38485 SHA-256: 8057d3ff1039d59da429bcde2b206ff11d8be59b4c037aaf116cd8dd61fd7d0c
622 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The file contains critical VBA heuristics indicating it uses obfuscated auto-exec loaders, CreateObject, Shell(), and WScript.Shell to download and execute payloads. Specifically, the Workbook_Open and Auto_Open macros are present, suggesting immediate execution upon opening. The script also references ShellExecute and WScript.Shell, confirming its intent to run external commands or scripts. The embedded URLs are likely sources for these secondary payloads.

Heuristics 15

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://srcedit.pekori.jp/tool/share_e.txt
    • http://srcedit.pekori.jp/tool/share.txt
    • http://srcedit.pekori.jp/tool/method_e.txt
    • http://srcedit.pekori.jp/tool/method.txt
    • http://srcedit.pekori.jp/
    • http://news.yahoo.co.jp/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5381fe5308b93e49b07aefbdd0cd6bd2fe3ceb0c512223e2caf7fb085c65c6cb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8388608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.