Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 97339d81a80a70f5…

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-24
MD5: 126541e1872673e364c780a1dc860f3e SHA-1: 076c3968c92761e79c8cd41076a23d322b17b53b SHA-256: 97339d81a80a70f556768d4fde7b1972a69e3a4c39d85e4051f605c892ab1339
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The embedded VBA macro contains a call to CreateObject and references PowerShell, indicating it's designed to execute a malicious script. The script itself reconstructs a PowerShell command that downloads a VBScript from 'http://gdcifkt.kt/igc/protector-Client/vbs/appdata/temp/notepad.vbs' and saves it as 'C:\Users\Public\protector-Client\vbs\appdata\temp\notepad.vbs' for execution. This indicates a downloader or dropper functionality.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bbd08e0baf70a968807c23c3c5db5ad174899f4c64848448eb37c5f44048e719		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1377 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.