Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a66847bd06619b95…

MALICIOUS

Office (OLE) / .XLS

1.36 MB Created: 2005-04-25 18:34:18 Authoring application: Microsoft Excel
MD5: 8db2259739cd3ad0a39cfbd2fe550de9 SHA-1: f82224e392b606e33ff34e717ca11e7961c95de1 SHA-256: a66847bd06619b95d4a6f9907926fad19f8a2b9a7d07bb86369fd1c97b3cbc08
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell

The sample is an Excel file containing a Workbook_Open macro, which is a common technique for automatic execution upon opening. The critical heuristic firing indicates a Shell() call within the VBA code, suggesting the macro attempts to execute external commands. This is further supported by the presence of embedded URLs, which are likely used to download and execute a second-stage payload. The document body content appears to be unrelated spreadsheet data, indicating a lure.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tudosobrexcel.com9
    • http://www.tudosobrexcel.com/excel_forum/forum.htm�
    • http://www.tudosobrexcel.com�
    • http://www.tudosobrexcel.com/excel_forum/
    • http://www.tudosobrexcel.com
    • http://www.tudosobrexcel.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
277e3798bb06106a6691cf149e65c66ccc3c57d5fde2b10d0c84c5eab2c8cb5f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 147532 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.