Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a00815cee8133733…

MALICIOUS

Office (OLE) / .XLS

479.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-26
MD5: b23244e41a07338c0cc74d52425c0fa7 SHA-1: 9f0bd3278bb886ef7ca6dfc064ff4c8ae5361f40 SHA-256: a00815cee8133733c68e6d1638a489dd16d2ccfae79ce61c1589d6004cd9ddb0
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample is an Excel file with a high-confidence detection for VBA macros. The presence of a GetObject call and Environ() function calls within the VBA code suggests an attempt to interact with the system or execute external commands. The extensive use of commented-out MsgBox calls and the Workbook_Activate subroutine indicate that the macro is designed to run automatically upon opening the workbook, likely to download and execute a second-stage payload. However, the specific payload or execution method is not fully discernible due to obfuscation and truncation.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8b55d507a7e4ab575cf2c0fc4b038d7b046801e316618bbda9ca6277e7a8563d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3434 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.