Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d1cc51309cddfeeb…

MALICIOUS

Office (OLE) / .XLS

91.0 KB Created: 2023-01-11 08:39:02 First seen: 2023-01-11
MD5: 77ab6ac40b4b4db8efa297534eb8d23f SHA-1: dc01f959acff2ff1aae1278f7de74f2e9d1d3857 SHA-256: d1cc51309cddfeeb4181c3aafdc35e72c2ecb219e006392cae96b8568a4246ae
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic OLE_VBA_HTTP_DROP_EXEC indicates that the VBA macros download a file from an HTTP resource and save it to disk. The script uses CreateObject to instantiate Microsoft.XMLHTTP and ADODB.Stream, which are common components for downloading and handling file content. The function Cvs_and_Excel likely orchestrates this download and execution process, although the exact URL and filename are not explicitly reconstructed from the provided script excerpt.

Heuristics 4

  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
32d7fac58b6887a30c5e959ec041bf401c19b8078f46222cf39ceab594af4eb1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4747 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.