Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 aeb04b570e3a4a5f…

MALICIOUS

Office (OLE) / .XLS

84.5 KB Created: 2022-08-09 08:57:53 Authoring application: Microsoft Excel First seen: 2022-08-09
MD5: a6b5daf3bba700f23553bda52e6af69f SHA-1: 717249c18c82dfc8a15aa2a256998661a0a4d822 SHA-256: aeb04b570e3a4a5f9c28f00427556a2c527a4beeef64ed00de4f9ffc7d04c6b1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macros download a file from an HTTP URL and write it to disk. The script also contains calls to CreateObject and GetObject, common for executing downloaded payloads. The reconstructed URL from the script is http://192.168.1.100/payload.exe, which is likely the second-stage payload.

Heuristics 4

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ce61a9a743bb53603d10048c06877c51ef47ae5560a4ce0cda720b215f36aca4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.