Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bf19534d31541387…

MALICIOUS

Office (OLE)

23.5 KB Created: 2021-07-18 23:26:46 Authoring application: Microsoft Excel
MD5: c9123fe2a9ea247a974641a32940335b SHA-1: 13c5be04c9afceb11892f27767d7bc45c33b4b9c SHA-256: bf19534d31541387c22c69963c679114bac4315d83e1dd3dc7b775b7dd377658
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The Auto_Open VBA macro in this Excel file is designed to execute upon opening, calling the DllInstall function with a URL pointing to a script file. This indicates the document is intended to lure the user into opening it, subsequently downloading and executing a second-stage payload from the specified URL. The URL 'http://185.140.53.164:4444/jefe/uploads/Excel.sct' is the primary indicator of compromise.

Heuristics 3

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.140.53.164:4444/jefe/uploads/Excel.sct

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
6cdb249b2f99d19cfe3aec369b7ca110e599d52772e66d9d02f9a3d68c54d9d3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2074 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.