Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 93e0fc85608986b9…

MALICIOUS

Office (OLE) / .XLS

68.0 KB Created: 2022-03-28 08:11:16 First seen: 2022-03-28
MD5: 78b9c616aef45ff9255c238f4757b207 SHA-1: 7864fbe1ce78a0e97ee70d1ba252d7e542ec49c3 SHA-256: 93e0fc85608986b9615f74cb69249f666116c926c6e5085f426f224340f0d996
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is a malicious XLS file containing VBA macros. The macros utilize the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload from a remote location. The presence of CreateProcess API calls further supports the execution of downloaded content. No specific family could be identified, but the delivery mechanism is clear.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
290b2c18deb8270cf5d221e9ef9991b82bfdf92514f990118fa446a6fcd9fe4f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10401 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.