Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ad375bf1fa3cacb5…

MALICIOUS

Office (OLE) / .XLS

399.5 KB Created: 2016-11-08 08:33:09 Authoring application: Microsoft Excel First seen: 2022-08-01
MD5: cfc837bb4fa4db680effae61a97f45a1 SHA-1: 1ac9f20f8dae3b23d2a63ba61fc8383762db8553 SHA-256: ad375bf1fa3cacb5e0044c0332b1780e6d3505c0e7effdfb38e837fb2742bbfd
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information

The VBA macro uses WScript.Shell and CreateObject to interact with the file system and execute commands. It decodes Base64 content from specific cells in the 'Final Offer' sheet, reconstructs it, and saves it as 'nvidiax.exe' in the temporary directory, likely to execute a second-stage payload. The presence of WScript.Shell and Shell() calls strongly indicates malicious intent for execution.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
54ba713ab254cfd6176a4b8846c3b0962e2e7a2f34b5c1107ba20bf283bf1595		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 7094 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.