Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 937ecc3710546061…

MALICIOUS

Office (OLE) / .XLS

891.5 KB Created: 2021-05-19 13:26:09 Authoring application: Microsoft Excel
MD5: 5c1384a9073d57a8dcd0321d3f6a712c SHA-1: e9b685808d370e5513a1991af9e70c31d27ab9cb SHA-256: 937ecc371054606101523efb010edcb490d171100127998e70da93aab5a2415e
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The file is an Excel spreadsheet that contains embedded URLs. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicates that VBA macros are present and configured to execute automatically upon opening, specifically using 'CreateObject'. This suggests the file is designed to download and execute a secondary payload from one of the listed URLs. No document body text was available for analysis, and VBA macros could not be extracted, limiting deeper insight into the specific lure.

Heuristics 4

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL https://transportesrmb.com/crm/ywUFFQLQayam.php
    • https://samyberry.co.za/nlo6xegZx.php#v
    • https://dc-consult.co.za/QlqIu1e0M1.php$/bLafBO
    • https://sumber-artha-abadi.com/Xz2hQ3Gse1mF.php
    • https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php)s
    • https://app.lead-concept.com/ws/wSu6ZEPLdlxH7W8.phpMFxMJRMFxMJRMFxMJRMFxMJRMFxMJR
    • https://tres-erres.com.ar/h/gnu/PHPExcel/locale/cs/0GHHoPxx.php5C
    • https://oab83.org.br/UFZ1ZFXzaX0qhAv.phpuxXLIy@(VO:\eN�
    • https://mapeg.com.br/iptv/videos/wYkijZx9GpGwaj.phpr%q8(3AX7d

Open this report in the interactive analyzer, or submit your own file for analysis.