Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 938a8a3730159aae…

MALICIOUS

Office (OLE) / .XLS

54.5 KB Created: 2023-02-15 08:45:23 First seen: 2023-02-22
MD5: 2a2c65e9732a2d6cff46b727e41b928b SHA-1: 12a91d82365400c05cb89953d152e10d07204dd9 SHA-256: 938a8a3730159aae968d54d6a722e34abdc7569445cd6971ab45d3f45a7e26a5
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The XLS file contains VBA macros that utilize the URLDownloadToFile API to download a payload from a remote source. The script also uses CreateObject to instantiate an XMLHTTP object, suggesting network communication to fetch the secondary payload. The presence of Shell() and Environ() calls further indicates execution and potential environment interaction.

Heuristics 6

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
dc5b5656079d0c16fa55f86a75175c86dddbf81d9c4e1b5525421e83937c9d5e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.