Office (OLE) / .XLS malware analysis — malicious · da0242e73e87d794

MALICIOUS

Office (OLE) / .XLS

24.0 KB

MD5: 235c46b31473269f3b53390fda81b876 SHA-1: e9c6b90732b77e80c7f929aa8c61e38837a93cce SHA-256: da0242e73e87d7941b6b98a05eeb6a29d9b0f99e3b2c5ace92733a1dd41862c7

348 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.003 Windows Command Shell

This XLS file contains VBA macros that are automatically executed upon opening, indicated by the Workbook_Open heuristic. The macros utilize WScript.Shell and CreateObject to download and execute a second-stage payload from the provided URLs. The specific URLs point to Google Docs and Dropbox, which are often used to host malicious payloads.

Heuristics 10

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1�
- https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download�

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fe1742f0cebaf884bd21fc2111a03a651e6a5d75b49c6e4a537d9e005320a211`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21014 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.