Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ae1875d84578de33…

MALICIOUS

Office (OLE) / .XLS

112.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-09
MD5: 3fcd4630a98b13b20b5b2c98d32138ab SHA-1: 1f8f284c953d955aab79f506a84566448aa41813 SHA-256: ae1875d84578de33147aa6a13293b15af610a73835eb5c7d91ab77a83b104c1a
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains logic to rename a downloaded file from '.txt' to '.js' and then execute it. The script reconstructs the URL 'http://92.172.191.101/save/vbs.sbv' to download a file, which is then saved to a temporary directory and renamed to 'gQAqs.js'. The macro also uses ShellExecute to run PowerShell, which is configured to download and execute a script. This indicates a downloader functionality, aiming to fetch and run additional malicious payloads.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
64505a76218c630b2ec8d411290da2fa219b70d8535db7135fa7433f8dc5d334		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1269 bytes
ole10native_00.bin
c74dad369bd77da7d684b25076d0218794c7ef629a2a38f6f563e54504359ee7		 ole-package OLE Ole10Native stream: MBD02C00CAF/Ole10Native 1065 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.