Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 925dbf95054df732…

MALICIOUS

Office (OLE)

713.5 KB Created: 2021-07-14 08:38:23 Authoring application: Microsoft Excel
MD5: 1c54dba00a0049d433c29f7eabf1b486 SHA-1: 4b2ff00809d321e3cc3cd647c1a26b5556c5fba8 SHA-256: 925dbf95054df732ae3e22d9549cc9b8f9eee2fd0d05f9cc59091c197b6be637
416 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel document containing a Workbook_Open VBA macro that reads data from Sheet1, concatenates it into a string, and writes it to a script file named 'qSummaryOnRight.sct' in the ALLUSERSPROFILE directory. This script is then executed using mshta.exe. The macro uses CreateObject and WScript.Shell, indicating it's designed to execute arbitrary code. The document body presents a fake invoice, aligning with the SE_INVOICE_LURE heuristic.

Heuristics 11

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8af30c71dc8c8ab78b24ae448cad0e39d5ab31ac824aed6f7ad8b880c7088c80		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.