Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a82f51ee0fcaaab6…

MALICIOUS

Office (OLE) / .XLS

476.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-20
MD5: 08c7e9e583d814bb439a169e16c5b96b SHA-1: e980f1961259e0ac5a62b0e9834b1bf4812ca173 SHA-256: a82f51ee0fcaaab61e98d2fea4fd1647953bcdaf2a27949e13291967797bc0a7
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1140 Deobfuscate/Decode Files or Information

The file is an Excel spreadsheet containing VBA macros. The Workbook_Activate subroutine constructs a string from cell values and writes it to a batch file named 'Sanek.bat' in the user's AppData directory. The GetObject function is used, indicating potential interaction with other COM objects. The Environ("AppData") call reconstructs the path to the user's AppData folder. The script's intent is to create a batch file that likely serves as a dropper for further malicious activity.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9900a18786ac94dd4dec71619aec2514902b24e1ec1748a09616de6611dc8960		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.