Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a233724a85833599…

MALICIOUS

Office (OLE)

51.0 KB Created: 2013-02-05 10:04:55 Authoring application: Microsoft Excel First seen: 2015-04-05
MD5: ce130212d67070459bb519d67c06a291 SHA-1: ad0328c07b761e934619d71f4cc17d230794c8b9 SHA-256: a233724a85833599b75ff4beab42f7ce30cb076572629ee487a7813148c9f729
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an Excel document that uses a social engineering lure to convince the user to enable content, likely to execute a malicious payload. Heuristics indicate that the document package drops an executable file named 'http193.26.217.221zxrssidin.exe.vbs', which is likely a VBScript downloader. The presence of 'SC_STR_WSCRIPT' heuristic further supports the execution of a script via Windows Script Host.

Heuristics 4

  • ClamAV: Xls.Dropper.Agent-1871571 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-1871571
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: MBD03331D2E/Ole10Native 8609 bytes
SHA-256: f6c4d549b3d16f822618a84980ff1549801c17bb00ae197c7e66f46378a9a720
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Shell").Run(""& oulhnuxsrrvvhzm &""),0A