Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9a3b8f5727248fda…

MALICIOUS

Office (OLE) / .XLS

29.5 KB Created: 2022-04-26 15:49:28 Authoring application: Microsoft Excel First seen: 2022-04-27
MD5: 983a5fb261009534976de3645ad2e667 SHA-1: b23158e1247f8bc91ff96c7a3b3169ef60b988b9 SHA-256: 9a3b8f5727248fdad82eeed6ec4343d5f6cea0e1d670e537e55d534dd76ba4b1
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information

The Workbook_Open macro is triggered upon opening the Excel file. It contains heavily obfuscated VBA code that reconstructs a URL and a registry path. The script attempts to download a second-stage payload from 'https://www.esocdragons.com/VBA/23niW_Ssr.exe' and likely writes it to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy' for persistence. The GetObject call and subsequent execution indicate a downloader or droppper functionality.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6cc7ba82c2fb40eec48404d387c73aa90d7ad06bcc01786f18085983e51d4fa7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.