Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9b0ac9fff5a7bf38…

MALICIOUS

Office (OLE) / .XLS

119.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-11
MD5: 2057c566db6fb1532e9bee1cdab7f018 SHA-1: ac672abfc153fdabcbb1f1ffa149dc98e05e7c72 SHA-256: 9b0ac9fff5a7bf388a5921f555f31d9d6004901b62ed0d1da9eb0b19e04cbc46
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Decode Files or Information

The document contains a fake invoice lure and triggers a VBA macro. The macro uses CreateObject to interact with the file system, specifically to paste an OLE object into the user's AppData\Roaming directory and rename it to 'afJNP.js'. It then attempts to open this JavaScript file. This indicates the macro's purpose is to download and execute a second-stage payload via JavaScript.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ea33d852cb533bab1fe69e0dd47a6f2cdcc582a7fb62fa43acbc17d979402d21		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1099 bytes
ole10native_00.bin
aba823bb89d36efdc6ee786dd6a0d1a69b6bf3e6fe2e70922a23c46c9ba609a7		 ole-package OLE Ole10Native stream: MBD0945190C/Ole10Native 1613 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.