Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a4cb3cfc2cebf32d…

MALICIOUS

Office (OLE) / .XLS

54.0 KB Created: 2007-05-04 06:27:53
MD5: 82987a23ad1af9146f9f483f9c1f3891 SHA-1: c1cbb3e4a0d552f704f88f5dc9462f45459ed532 SHA-256: a4cb3cfc2cebf32d7f32469f7b35e0ebf8892f1c6aab60731783b15674fba7d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE Excel file containing VBA macros. The critical heuristic firing indicates the use of Shell() calls, and the high heuristic firing indicates CreateObject() calls. The VBA script `macros.bas` uses `CreateObject("Scripting.FileSystemObject")` to create a file named `CSVLEI.TXT` and then uses `Shell("NOTEPAD CSVLEI.TXT", vbNormalFocus)` to open it. This suggests the macro is designed to generate and display a file, potentially as part of a social engineering lure or to prepare for a second-stage download. The document body contains what appears to be payroll information, reinforcing the lure aspect.

Heuristics 3

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
63a72a9ea501accada32f15bd5d2203b1b8468a248bfc4be8e23f279f42121e2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.