Office (OLE) / .XLS malware analysis — malicious · d9c745aa956faf99

MALICIOUS

Office (OLE) / .XLS

118.0 KB Created: 2021-04-13 13:37:17 Authoring application: Microsoft Excel

MD5: ceeedc713249ae7aee31841c389393b8 SHA-1: e486de368a011933936173cb22058ff06d0a1bee SHA-256: d9c745aa956faf9924734fc856bc69a23820e0d76b37a75c0889bdd2e53d4415

400 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains a Workbook_Open VBA macro that uses WScript.Shell and CreateObject to execute obfuscated code. This code is designed to download and run a second-stage executable from the provided URL, indicating a downloader or initial access mechanism. The specific family is not identifiable from the available evidence.

Heuristics 9

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.

URL http://scaladevelopments.scaladevco.com/17/ConsoleApp18.ex
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `bc47d7045163b14310886a52db15583065245126a1cec10859a44481074091ff`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1146 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.