Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a0f1d5d0b561c148…

MALICIOUS

Office (OLE) / .XLS

674.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2026-02-26
MD5: 40a936721585c1f85d409271994d62e0 SHA-1: 07529bdd7e88d1a30716903b588cdc6f92f2c36d SHA-256: a0f1d5d0b561c148b366eb95c1c01de231d25de5862a6f7fba3bc9a5ea85a05a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Excel spreadsheet containing VBA macros, indicated by the OLE_VBA_MACROS heuristic. The presence of a CreateObject call suggests the macro is attempting to instantiate objects, likely for malicious purposes such as downloading or executing further payloads. The document body contains text related to GST (Goods and Services Tax) filings, suggesting a lure to entice users to open the file and enable macros. The embedded URL 'https://www.gst.gov.in/download/returns' is likely used as part of the social engineering pretext.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.gst.gov.in/download/returns
    • https://github.com/VBA-tools/VBA-JSON
    • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
    • https://github.com/VBA-tools/VBA-UtcConverter
    • http://www.motobit.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://www.opensource.org/licenses/mit-license.php)�
    • http://code.google.com/p/vba-json/
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
    • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
    • http://support.microsoft.com/kb/269370
    • http://www.ietf.org/rfc/rfc4627.txt
    • https://support.microsoft.com/en-us/kb/272138
    • http://www.opensource.org/licenses/mit-license.php

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
863e6e94a2fae9bd1b055c46c57f694fc9cb077776083c7156e7da9e98ca0b67		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 230894 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.