Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d43489191e39ed08…

MALICIOUS

Office (OLE) / .XLS

476.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-01
MD5: 37799928afbe2613feb4e9699a728cf5 SHA-1: b262909286f1f5e2e5318a7f1d07a998f87cc2c3 SHA-256: d43489191e39ed08b4471ce752e10f0f0240127ad5192c548a0bf1da9d00ef0d
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1071.001 Web Protocols

The sample is an Excel file containing VBA macros. The Workbook_Activate subroutine constructs a path to a batch file named 'ETtFd.bat' within the user's AppData directory. It then writes obfuscated data from cells A100, A103, A104, and A105 into this batch file. The GetObject function is used to interact with the Excel object model, and the Environ function retrieves the AppData path. The batch file is subsequently opened and executed, indicating a likely downloader or initial execution stage for a secondary payload.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1f3d5a755aa136fbfc8443a6a4f81633444b54dcd581c7b48642871df26052d3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.