Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 da2ac365155dc134…

MALICIOUS

Office (OLE)

584.5 KB Created: 2006-03-15 08:49:49 Authoring application: Microsoft Excel
MD5: 0a80c7e7d33565d042608c8338d8062d SHA-1: 9951ac075d67d5fc9918817f9f4fc128a4e150a2 SHA-256: da2ac365155dc134754c90ddbe1cda62142ff505882e714d194451d096539d3b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious Attachment T1059.005 Command and Scripting Interpreter: Visual Basic

The sample is an Excel file containing VBA macros, including Workbook_Open and Auto_Open, indicating malicious intent upon opening. A high-confidence heuristic indicates exploitation of CVE-2012-0158 via MSCOMCTL.ListView. The embedded URL is likely used for a secondary payload download. No scripts were extracted, limiting further analysis of the macro's specific actions.

Heuristics 6

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.excel.wep.tr/�

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
99b798035c366f0d596c99d2e58403df4d930ac9b8c3d2d72d5e02e137e3f162		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.