Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 adbbd78d5c79c11d…

MALICIOUS

Office (OLE) / .XLS

129.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-17
MD5: ef647821a5b83276209b316934bad8ab SHA-1: 1e01b86c162aad282434c34d13147dd404e8d59a SHA-256: adbbd78d5c79c11d3e5f723085b3d5d3fb2a34047a3e2a8791cdd764b78b08f7
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Excel file containing VBA macros. The macro uses `CreateObject("Shell.Application")` and `InvokeVerb("Paste")` to write a JavaScript file named 'rkWwH.js' to the user's AppData\Roaming directory, and then attempts to execute it. This indicates a downloader or dropper functionality.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4e4ed878a606b83fb3c1b380939665c3649f3a184bce96fe37cd2b1b5f520b9a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1203 bytes
ole10native_00.bin
49ee2c9bb81f03f3b4a8c2fd32dcc2d17f5a7434d12a3a1e46e26be5e8adcb36		 ole-package OLE Ole10Native stream: MBD0B49396D/Ole10Native 1181 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.