Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b595eb532ad89ad1…

MALICIOUS

Office (OLE) / .XLS

479.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-26
MD5: 10a69c23c242537ae9fc2189604ac4a8 SHA-1: 63e058672bc4c2e406b226ada643cebe56fb768a SHA-256: b595eb532ad89ad1c0491ed5ec2ee5097135d873deeb154a146d1a64b41c501f
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros. The Workbook_Activate subroutine is present, indicating that the macro will execute automatically when the workbook is opened or activated. The presence of GetObject calls and Environ() calls suggests potential for dynamic code execution or environment variable manipulation, common in macro-based malware. No specific IOCs like URLs or file paths were extracted from the script, limiting further analysis of its payload.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3d4efa879b90b39921c268e986210205c4e6806fa5b323551f864955cc71805c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3434 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.