Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 aa4c77260a331415…

MALICIOUS

Office (OLE) / .XLS

483.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-05-26
MD5: 5cbb5169239dcb02293662b6f2d5c09e SHA-1: 658c0105fa50cfaa0d838f9f304ff6979dae196c SHA-256: aa4c77260a3314158bb6a9ffe4ce691c90bc905d93275dc7ca218d60012086e4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The XLS file contains VBA macros that utilize a `CreateObject` call to execute a PowerShell command. The command is constructed by concatenating the string "Powe" with values retrieved from cells T200, T400, and T100, which are obfuscated by only including characters that are not white. The `GetColorText` function is used to extract these characters. The reconstructed command likely downloads and executes a second-stage payload. The specific values from the cells could not be fully reconstructed due to the obfuscation method.

Heuristics 2

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c67e5b37737d793ff151e0f38e676e33b4bbbf22b7b4c0d61b6d87e4c98944b4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1785 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.