Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 98be7c9fa5b5b3b8…

MALICIOUS

Office (OLE)

88.0 KB Created: 2020-09-15 00:43:13
MD5: 5724c4eb6269a530ac1bde792e0964dd SHA-1: c521a42e927eca217247243c8b7016d5fdbd0eba SHA-256: 98be7c9fa5b5b3b8eab7684075547b61df0f37682805fd37e329e45f0c5bfb17
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Office document containing VBA macros, specifically a Workbook_Open macro which is designed to execute automatically when the workbook is opened. The heuristic firings indicate the presence of VBA macros, a Workbook_Open event, and a CreateObject call, suggesting the macro attempts to instantiate and run objects. The extracted artifact 'macros.bas' is the source of this macro code. While no specific URLs or hashes were extracted, the presence of an auto-executing macro strongly suggests a malicious intent, likely to download and execute a second-stage payload or perform other malicious actions.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aaba7df0e3c050a0aa9bbf1c03420de6913ebf740559711a83ac41ed65d84cc9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5638 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.