Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d1300974e16f75b2…

MALICIOUS

Office (OLE) / .XLS

122.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-16
MD5: 4b46967dd9b0cc889a71879e74c78163 SHA-1: f4ab4a4754ba6815e6ba8adb03f68d9ea2edd39a SHA-256: d1300974e16f75b2fd0deeb5b4f212f2d1c9eb0d77bc51664c4dfbcdca4beb63
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The sample is an Excel file containing VBA macros that leverage a fake invoice lure. The macro code attempts to create a Shell.Application object and uses it to paste content into the user's profile directory, renaming a .txt file to .js. This JavaScript payload is then opened, likely to download and execute a second-stage payload. The use of ShellExecute API and CreateObject are strong indicators of malicious intent.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
68bb1a72bcca72c48ac96bb10bfbb700bbca9c0941addfd987c8b02881a76688		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1203 bytes
ole10native_00.bin
d01d450ecc5203a32d0952ec6b25128054a124e698c89381412b7dbaba26b3f7		 ole-package OLE Ole10Native stream: MBD0B35A8EF/Ole10Native 1183 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.