Office (OLE) / .XLS malware analysis — malicious · b593add117782fee

MALICIOUS

Office (OLE) / .XLS

52.5 KB Created: 2021-08-17 12:24:08 Authoring application: Microsoft Excel First seen: 2021-10-02

MD5: 9354fbce4049d5c06ecff97dd71f5c3a SHA-1: 8e13d077a481b11bdcb3e663712e5c42d29eb3ba SHA-256: b593add117782fee1816d31afd95355533f926653b140291445543d9e3aca246

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel spreadsheet containing VBA macros. A heuristic indicates the presence of a macro-enable lure, instructing the user to enable content. The Auto_Open macro uses the MSScriptControl.ScriptControl object to execute code. The script dynamically loads code from the document's 'Subject' and 'Comments' properties, which is a common technique for obfuscating malicious payloads. The exact payload is not directly visible in the provided script, but the execution method is indicative of a downloader or initial execution stage.

Heuristics 4

MSScriptControl.ScriptControl — CVE-2015-0097 high CVE likely CVE_2015_0097_SC

MSScriptControl.ScriptControl — CVE-2015-0097
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `0278d22c57457c6ea65486c5e13f4b06bae683e9ef9fa360c905d1932da96848`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	862 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.