MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is an Excel file identified as malicious. It contains an embedded PE executable, indicated by the OLE_EMBEDDED_EXE heuristic. The presence of VBA macros, though not executable statements, suggests a potential delivery mechanism. The heuristics SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY, and SC_STR_GETPROCADDRESS, along with SC_XOR_ENCODED, point towards the embedded executable's likely functionality of loading and executing code, possibly after decryption. The primary IOC is the embedded executable file itself.
Heuristics 6
-
XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess�', 'CreateFileA�', 'CreateFileW�'
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 606 bytes |
embedded_office_00010ceb.exe0c5cdbf6f043780dc5fff4b7a977a1874457cc125b4d1da70808bfa720022477 |
embedded-pe | Office MZ+PE at offset 0x10CEB | 114688 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.