Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c6eff45cbe4fdf6a…

MALICIOUS

Office (OLE)

85.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: aff94a62edc83dfcab8d192c4d4787c1 SHA-1: cbbf4de6bed418812a1150cfdf4faf01c52dfc91 SHA-256: c6eff45cbe4fdf6a90c42d0a8e2abb4670020ad4aed79bfae501a762a038e6d2
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel document containing VBA macros. The macros reference ShellExecute and CreateObject, indicating an attempt to execute external code. Specifically, the script attempts to construct a command string using concatenated parts and then executes it. The reconstructed command appears to be 'P' + 'rogramFiles' + '\Windows\System32\cmd.exe' which is then used to execute a payload.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
019f43ab4f7be9d800549fd4708d0f78bd5b028b17e8d1b4ef0809cebd90e8b1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.