Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b65e9be3fa98ae32…

MALICIOUS

Office (OLE) / .XLS

452.0 KB Created: 2020-10-05 07:39:48
MD5: f4068caac80741bef1d10c4d1d325356 SHA-1: d489e731bcc3e83d2a7144885d70a4f11e359112 SHA-256: b65e9be3fa98ae321646a817f559e8f213b7b3e40ab8b68c46a07b153abb48d0
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The Workbook_Open macro is configured to execute a PowerShell command. This command downloads a file from 'http://45.66.250.101/iT/607188.jpg' and saves it as 'C:\Users\Public\Documents\eydbdiir.exe', then executes the saved file. This indicates the macro's intent is to download and run a second-stage payload.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fde7a034832762ebb5caadf88f9a5361838f6970157c9f4e7f44f68fbbb3e88e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1259 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.