Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ce4085be9c0cea2f…

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-10-03
MD5: a7d04a4e89171657d2a5c6fd29a5ff65 SHA-1: b9267d4a42b84f7f0798820dd9a59be020672a8a SHA-256: ce4085be9c0cea2fdaa6145e86166b051222fcc96eac12e1668d803a6b97ebfe
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros that leverage a CreateObject call to execute PowerShell. The PowerShell command is obfuscated but reconstructs to download a JavaScript file from 'http://reptr2bel.lm/download.js' and save it as 'C:\Users\Public\notepad.js' for execution. This indicates a downloader pattern aiming to fetch and run a second-stage payload.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9be84f842a6a937e8515cebe50386bedfad9359c8282b679174009fd507e2857		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1493 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.