Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9a8d8cc1ffa1e3b0…

MALICIOUS

Office (OLE) / .XLS

51.5 KB Created: 2020-11-11 14:39:23
MD5: a44ef0f0dad035a5ed4eb589445f5519 SHA-1: 95e5ecd3df08a43681ea07429b20aac460071f72 SHA-256: 9a8d8cc1ffa1e3b0e25826f5d1619fcbba7045ea6c48e756cc237106bf20be9a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.003 Windows Command Shell

The sample contains VBA macros that trigger the execution of Excel4 macros via an ActiveX event. This technique is commonly used to download and execute further malicious content. The embedded document text appears to be obfuscated or encrypted, preventing a clear understanding of the lure. No specific family could be identified due to the lack of clear indicators beyond the execution method.

Heuristics 2

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ecc7343ec24293c54cabfb247223f1608ec3fe264ad2f3284d45c98000f666c1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2226 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.