Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8782c155935feee9…

MALICIOUS

Office (OLE)

2.56 MB Created: 2004-03-29 22:32:10 Authoring application: Microsoft Excel
MD5: 3ebb32ee14a708c16ebf6fbf5f4fad58 SHA-1: 4deb13cfb13bddc62e425ce7c7f3e633bad980c7 SHA-256: 8782c155935feee9af571c75666e8e40729e312e7e3fb7da8208ae2417b31ea5
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel document containing VBA macros, indicated by the OLE_VBA_MACROS heuristic. The SE_INVOICE_LURE heuristic suggests the document's content is a fake invoice or payment lure, designed to prompt the user to enable macros. The OLE_VBA_CREATEOBJ heuristic further confirms the presence of potentially malicious macro activity. No specific URLs or network indicators were found, but the presence of macros strongly suggests an attempt to download and execute a secondary payload.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1c5efcf277267b97764d37af4a217359e9b058b19df32dde3a5962506ccf3ad9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 88067 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.