Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 ab34ccadba654360…

MALICIOUS

Office (OLE) / .XLSX

4.76 MB Created: 2006-11-08 15:21:05 Authoring application: Microsoft Excel First seen: 2023-01-31
MD5: 1864daba8e2bc3d17e4b7c4d0eb13e60 SHA-1: 2f7ceb2fdc8c7db9a71566028de6628aab15ea4b SHA-256: ab34ccadba65436073c0dcc52f5f615fc2f2f9e83d766073141223f0d09317c1
622 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains critical heuristics indicating the presence of an obfuscated VBA loader that utilizes WScript.Shell and CreateObject to execute code. Specifically, the Workbook_Open and Auto_Open macros are designed to trigger the malicious payload. The VBA script directly calls the ShellExecute API, which is commonly used to download and execute further stages of malware from external URLs. The embedded URLs point to suspicious domains, suggesting a download mechanism.

Heuristics 15

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    VBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://srcedit.pekori.jp/tool/share_e.txt
    • http://srcedit.pekori.jp/tool/share.txt
    • http://srcedit.pekori.jp/tool/method_e.txt
    • http://srcedit.pekori.jp/tool/method.txt
    • http://srcedit.pekori.jp/
    • http://news.yahoo.co.jp/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b075b22268de40df44f5f598651b5a91d1d28c494451ecf4c523d026ce11c9c5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8388608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.