Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 973486882501663d…

MALICIOUS

Office (OLE) / .XLS

51.0 KB Created: 2023-02-22 07:56:08 Authoring application: Microsoft Excel First seen: 2023-02-22
MD5: 0ee5f43324e36743374d4bdc4fd79f57 SHA-1: e8f22dc5e760cc238d7649ecfb1b84638eb424bc SHA-256: 973486882501663deef8a592a99988773207a476f38ff9968d2177258e66763b
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is an Excel file containing VBA macros. Critical heuristics indicate the use of URLDownloadToFile API and Shell() calls, suggesting the macro is designed to download and execute a second-stage payload. The presence of `URLDownloadToFileA` in the VBA code further supports this. The exact URL and filename are obfuscated within the script, preventing their direct extraction.

Heuristics 6

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
75d93eec6aa9032b8d12b82ad9fd8c2d175fe3d4bfd0c13aeee04e69660660ea		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2423 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.