Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 9d0a21ce53c6004f…

MALICIOUS

Office (OLE) / .XLSX

1.62 MB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 213f9328ca43d51c50b74cdaaeca1ae5 SHA-1: f7e7b5d5442328f615a707c78995e37fb0643af5 SHA-256: 9d0a21ce53c6004f0caa583e2bcfbad4200eb7b3c9f5b2b68c8858592c7ec9d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel spreadsheet containing VBA macros. The 'SE_ENABLE_LURE' heuristic indicates the document attempts to trick the user into enabling macros. The 'OLE_VBA_CREATEOBJ' and 'OLE_VBA_CALLBYNAME' heuristics suggest the macros are designed to execute arbitrary code. No specific family could be identified, but the overall pattern is consistent with a macro-based downloader.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b467d81e99f59c0059f5aaf05cf5899a6171053d06319f771455ab0e8e14aa93		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3218 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.