Office (OLE) / .XLA malware analysis — malicious · bb22cd647e7ffc08

MALICIOUS

Office (OLE) / .XLA

699.5 KB Created: 2004-04-06 20:50:55 Authoring application: Microsoft Excel

MD5: 919fbc4cf08961a692fb6e5e941dae9a SHA-1: c0a2bec54ccb6ef77dbc66c8df5b119312f2cc2b SHA-256: bb22cd647e7ffc085a6587dcce2b9d2f4dda9b37fd6da743694b9d8e20cedd02

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Excel macro-enabled workbook (XLA) containing multiple auto-execution VBA macros (Workbook_Open, Auto_Open, Auto_Close). A critical heuristic firing indicates the use of the Shell() function within the VBA code, which is commonly used to execute arbitrary commands or download and run additional payloads. The presence of embedded URLs, specifically http://www.cema.edu.ar/~jvarela/Installed.htm, suggests a potential download source for a secondary stage. The extracted file 'macros.bas' is also flagged as suspicious.

Heuristics 8

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.cema.edu.ar/~jvarela
- http://www.cema.edu.ar/~jvarela/Installed.htm
- http://www.cema.edu.ar/~jvarela��y��K�@http://www.cema.edu.ar/~jvarela�@`��@�qnNormalCJ_HaJmH

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a6a315703926d37e1c1cad28379b1cd7dfaae031c6867db99a405d538188678d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	867488 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 10 shell/COM execution token(s). Carved artifact contains 68 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.