Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cb0a2f45ce506dd6…

MALICIOUS

Office (OLE) / .XLS

37.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-22
MD5: bb6d730003322a7d2dc791401358d711 SHA-1: 0e785a360053ba05acc1352b77e255e6149a43c9 SHA-256: cb0a2f45ce506dd67cd564e382b386f71b01f77e0b6e6e06eef14d2f695dfd51
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059.003 Windows Command Shell

The sample contains VBA macros that utilize ShellExecute and GetObject to paste an embedded object into a directory specified by an environment variable. The script then renames a .txt file to .js and attempts to open it, indicating a likely payload execution. The specific environment variable and the embedded object's content are not fully discernible, but the overall pattern suggests a downloader or dropper mechanism. The use of Environ() and ShellExecute are indicative of this behavior.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c591072c71a04b95f5fa1038066ca6a3042113b4c3ffa84bbbe81c6a6858d708		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1143 bytes
ole10native_00.bin
b710ba766024b28f4d452dffb6e0773c378aa473303ff5fcd8e4c5f861037be4		 ole-package OLE Ole10Native stream: MBD00424E69/Ole10Native 1105 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.