Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 dc289b0d83115834…

MALICIOUS

Office (OLE) / .XLS

112.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-09-15
MD5: baab924935af816bce229a5db8266639 SHA-1: 609fb96556ce9835d947badbc822ad14cf59995f SHA-256: dc289b0d83115834981228b3eb75ed8dd4c001d53f086c95629b4d94c6333e9d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The VBA macro uses Shell.Application and CreateObject to construct a path within the user's profile directory and then attempts to open a JavaScript file named 'sfuCH.js'. The script also renames a file to 'sfuCH.txt', suggesting it may be preparing or staging a payload. The presence of ShellExecute API calls and CreateObject further indicates malicious intent to execute code.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c24b58c2902dd66b91366c6e1d7edd0fd86ada82b67524bb0ced25a65c9e3d37		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1424 bytes
ole10native_00.bin
fc00f733ea23159373978fa88da1c43f3691a9dae21b4a4c7dded7ac7e65665e		 ole-package OLE Ole10Native stream: MBD048D9E35/Ole10Native 1319 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.