Office (OLE) / .XLSX malware analysis — malicious · 946f97092e475631

MALICIOUS

Office (OLE) / .XLSX

33.0 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel First seen: 2022-08-16

MD5: 6dabe76f9fa957dfcb2d947ad28178f4 SHA-1: 0c1b88561dd995109283fd14233e2c01ddb2800d SHA-256: 946f97092e475631921bb51d3f7c964ceab14537246ad5b91f4b4d8d6fee8410

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The Workbook_Open macro is designed to execute a batch script, 'Outlook.bat', which is written to the user's Public directory. This script appears to be obfuscated but likely downloads and executes a second-stage payload. The presence of Shell() calls and cmd.exe references strongly indicates an attempt to run arbitrary commands. The macro's intent is to bypass initial security measures and download further malicious content.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9aae994c2e1c1317470f797f5379b50ed17f44f406e21538b812f3b5e27660ed`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5486 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.