Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9465c35c652271b1…

MALICIOUS

Office (OLE) / .XLS

124.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-18
MD5: 873c90af6836b2ad3cce748e99d1b0bd SHA-1: 266f7f7ac7890227852a996d5f71bf09483616df SHA-256: 9465c35c652271b12b696f88d353149641b74c354d955753e10ee14424e84f88
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The VBA macro uses CreateObject to instantiate Shell.Application and then executes a JavaScript file named 'sShlx.js' from the user's AppData\Roaming directory. The macro also renames a file to 'sShlx.txt', suggesting a download and execution chain. The presence of a fake invoice lure further supports a malicious intent to deceive the user into enabling macros.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9d8c00a59301ea1b6123606e26922ad280790a96f2f8999fbcd9633cc2307a61		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1345 bytes
ole10native_00.bin
fc8dd6c978e1f235abe2860bd06b5f2554a85925056930bbb3335a3392075b83		 ole-package OLE Ole10Native stream: MBD0BD427FB/Ole10Native 1197 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.