Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ce0f5d60331932cb…

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-20
MD5: b9673daed1cf200a240df1e605cf52f6 SHA-1: 1b7281ef6268409e140257b3c7ae24999835c62b SHA-256: ce0f5d60331932cb9dbcd5b367033f809c7c9cad6d2e4026d0551bd5416eebb4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The Excel file contains VBA macros that trigger a PowerShell command. This PowerShell command is obfuscated but reconstructs to download and execute a VBScript named 'notepad.vbs' from 'http://go.to.vocal.com/signin/client/download.vbs'. The script also attempts to establish persistence by writing to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
414b47d79a9ac6c119a957d413b2bb96ea0edbd80b808b9935fa112b07e08bdf		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1377 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.