Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 822ab57ed65f28b1…

MALICIOUS

Office (OLE)

2.62 MB Created: 2004-03-29 22:32:10 Authoring application: Microsoft Excel
MD5: bb60bba4288a531ec5f1b204876a1ea9 SHA-1: bd9b5057e7942ec370517a338baaaaa6e9be39c8 SHA-256: 822ab57ed65f28b18aad8b76ba4ce2eb1db6e40f0c0828d1b8078709e69e377d
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing a large VBA macro, identified by the OLE_VBA_MACROS heuristic. The SE_INVOICE_LURE heuristic suggests the document's content is designed to trick the user, likely related to purchase orders or invoices. The presence of a VBA macro and the CreateObject heuristic indicate that the macro is designed to perform actions beyond simple document manipulation, such as downloading and executing additional malicious content. No specific family could be identified.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/sharepoint/v3
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4392897a513c9966ed309281acce323cc0ae0eccfa81f21d041023922f9a0b24		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 88067 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.