Office (OLE) / .XLS malware analysis — malicious · 89d6b9a0f7d4f30f

MALICIOUS

Office (OLE) / .XLS

84.5 KB Created: 2022-08-09 08:57:53 Authoring application: Microsoft Excel First seen: 2022-08-09

MD5: 5bc2a4eefe16c8465f076bdfc3d38870 SHA-1: 71d800ce5f7cbd5f9d3ba9a16626c592bbc28c46 SHA-256: 89d6b9a0f7d4f30f5021a893925dfbea12051a0d3e5f5845fd1bc45b74eed830

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macros within this Excel file are designed to download a file from the internet and save it to disk. The presence of VBA macros and CreateObject/GetObject calls further supports this. The script itself is heavily obfuscated, but the core functionality appears to be downloading and executing a payload.

Heuristics 4

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `ce61a9a743bb53603d10048c06877c51ef47ae5560a4ce0cda720b215f36aca4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.