Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c52d747cc20d321a…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-28
MD5: 30875285b66ef1ca21e1bc6ec361dbd0 SHA-1: d80196b1fb3002a531b8279575a02e4f3d6d42c6 SHA-256: c52d747cc20d321a0185798c328468b564f9c5a213270ad07861fa7cc147fdda
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is a malicious Microsoft Excel file containing VBA macros. The Workbook_Deactivate event triggers a function that concatenates strings from cell notes and uses GetObject to instantiate a WScript.Shell object. This object then executes a command constructed from the concatenated strings, likely downloading and running a second-stage payload. The GetObject call to "new:WScript.Shell" and subsequent execution via rundll32.exe are indicative of a downloader or dropper.

Heuristics 2

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3b93916a922e04d602dd6502d71b66d6eba6e634d3483b2994b53245fd2af732		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1141 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.