Office (OLE) / .XLS malware analysis — malicious · a5c5aef7a92935dc

MALICIOUS

Office (OLE) / .XLS

476.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-15

MD5: 561a731b601e6ae89285965a2baa641a SHA-1: f2cacb03deb461edc578400b5d53082ae2382a52 SHA-256: a5c5aef7a92935dc91e55e03674651d27ebdb348fbde8dc55e3f77a47ce6b11a

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1137.001 DLL Search Order Hijacking

The sample is an Excel spreadsheet containing VBA macros. The Workbook_Activate subroutine is designed to execute upon opening the file. It concatenates strings from cells A105, A104, A103, and A100 to form a string, which is then written to a batch file named 'MqjAP.bat' in the user's AppData directory. The GetObject function is used, potentially to interact with the file system or execute commands. The Environ("AppData") call reconstructs the path to the user's AppData directory. The exact content written to the batch file is dependent on the values in the spreadsheet cells, which were not fully extractable due to the binary nature of the DOC BODY.

Heuristics 3

GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `121cba7cc6f2bf99b7c0c65332c772db887abe8bf6c5ff32a0f40d58dd344169`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.