Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 c157f75661b94976…

MALICIOUS

Office (OLE) / .XLSX

1.62 MB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: d0bde332e38eb055c419bfe231d3bef6 SHA-1: 6529f03355f1efd004bde337db6a563f8a0773f1 SHA-256: c157f75661b94976a4772ce33efe01525a5a4a5a5ea9a84878a7f95e65001ba5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel spreadsheet containing VBA macros. A heuristic firing indicates the document contains an 'enable lure' instructing the user to enable macros, a common technique for macro-based malware. The presence of CreateObject and CallByName calls suggests the macro is designed to execute code. No specific family could be identified, and no URLs or other IOCs were extracted from the document body or macros.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b467d81e99f59c0059f5aaf05cf5899a6171053d06319f771455ab0e8e14aa93		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3218 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.