Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 968d7644b8f4c0e6…

MALICIOUS

Office (OLE) / .XLS

221.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-05-17
MD5: 84fbe0d4b2d91c9a9fa67f696fe77562 SHA-1: 8becebb9eb09c00843703230c6178ee23b5f22a1 SHA-256: 968d7644b8f4c0e6f1462788ae86a1c6cd6fb18bb24611e85533a682d9c0db1f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file is an XLS document containing VBA macros. The Workbook_Activate subroutine uses a GetObject call to execute a command constructed by concatenating values from specific cells (B200, B205, B207, B208, B100) and a reversed string. This indicates the macro is designed to run an external command, likely a downloader for a second-stage payload. The GetObject heuristic firing supports this analysis.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
147b7349c71e73e845ce765089c0b2b3a477cd890758b65b096ecb026a0d0bd6		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 934 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.