Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d16c23ad3f2aa92c…

MALICIOUS

Office (OLE) / .XLS

80.0 KB Created: 2022-07-20 10:29:17 First seen: 2022-07-20
MD5: f327688f289fd0388196992424040459 SHA-1: 5327f1ab90a688de43515287ecdf4858676c7570 SHA-256: d16c23ad3f2aa92cafa15ca4d4f7bfb59bd8bd35bfa6fee8093da7335cc91cac
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The XLS file contains VBA macros that utilize CreateObject and GetObject functions, indicative of malicious activity. The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' confirms that the VBA code downloads a file from an HTTP source and saves it to disk, likely for execution. The script attempts to construct a temporary filename using environment variables and application dimensions, and also appears to be involved in persistence by writing to a Run key.

Heuristics 5

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2d36ac25e4b933a673ef064fdd92c4bee7e6c5a1314ac49e62b40997d89f7ef1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3753 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.