Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a6b141c048ce6a03…

MALICIOUS

Office (OLE)

43.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: f5ed0f7585f507254d97fcd1c76a1b78 SHA-1: efdb03b3b3a5a82d8191310d6fa2961f98183a76 SHA-256: a6b141c048ce6a034a60b687aa5de8a4cfe294ad535b2bc100dd80055b1f24c4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The document contains a lure instructing the user to enable macros, a common tactic for malware droppers. Embedded scripts indicate the use of PowerShell and WScript to download and execute a second-stage payload from the URL 'http://windowsupdate.me/update-index.aspx?req=__\'. The script also attempts to rename the downloaded file to a .bat.txt extension and execute it.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Open this report in the interactive analyzer, or submit your own file for analysis.