Office (OLE) / .XLSX malware analysis — malicious · c2283d9d0917f36a

MALICIOUS

Office (OLE) / .XLSX

33.0 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel First seen: 2022-08-16

MD5: e3ef4e5798aefd57925a449e0efda671 SHA-1: d3306b452daa516222c83ab4d50a31098e186ef2 SHA-256: c2283d9d0917f36abb730abb706f9e8d2b622034d8936e1577ac0f30995a40d0

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The Workbook_Open macro is designed to execute a batch script, Outlook.bat, which is written to the user's Public directory. This script appears to be obfuscated but contains references to cmd.exe and uses string concatenation to construct commands, likely for downloading and executing a second-stage payload. The use of Environ("Public") indicates an attempt to write malicious files to a common, accessible location.

Heuristics 6

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9aae994c2e1c1317470f797f5379b50ed17f44f406e21538b812f3b5e27660ed`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5486 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.