Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a78ceb0178abe8b1…

MALICIOUS

Office (OLE) / .XLS

37.0 KB Created: 2012-02-20 00:06:50 Authoring application: Microsoft Excel First seen: 2022-04-07
MD5: e664b47a06d3b24fb72f8e644d0dce61 SHA-1: 8c06981427c9881ace953d9db8cd259a57bd0c92 SHA-256: a78ceb0178abe8b1dbf87cd6c17fa2a2a10c34f4837b5f87b0e206f2a3d534a4
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is an Excel file containing a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The VBA script uses string manipulation and obfuscation to reconstruct a URL and a registry key. Specifically, it reconstructs the URL 'http://83.231.101.22/24/cn.txt' and the registry path 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. The GetObject call and the subsequent Create method indicate an attempt to download and execute a second-stage payload from the reconstructed URL, establishing persistence via the Run key.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8aa7132bb7eed81f5d3e9b7485748a2c81f190e6660bb2fe78fcf6afa7129f61		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1917 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.