Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 99b7bac477eb032a…

MALICIOUS

Office (OLE) / .XLS

119.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-09-13
MD5: 0799340d7cc28d4d8042a925a578c495 SHA-1: a05ce2afecb108a8176bac22d0a7ef41c108a538 SHA-256: 99b7bac477eb032a24e893d9c9ef0794de0f9f482cf5ec727403a3cccffcaf6c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The Excel file contains VBA macros that, upon activation, attempt to copy the spreadsheet's first OLE object. This object is then used to construct a path within the user's AppData\Roaming directory, where a JavaScript file named 'Rhrgp.js' is opened. The script likely downloads and executes a second-stage payload. The 'Shell.Application' string found in the document body further supports the execution of external code.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
040e77788c6d95bcb0a00f4d32e2a1940b969d9db843c147194548ad42f0e371		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1424 bytes
ole10native_00.bin
fc4efb981d9988c5cff7d4ce1e6ca69bf7de0c5749e68984502eb3e1add53ec1		 ole-package OLE Ole10Native stream: MBD039F7F2A/Ole10Native 1318 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.