Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 dd5c22d076a6c5e9…

MALICIOUS

Office (OLE) / .XLS

218.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 8fd36b896b1c3b8bae1799bb5068fd64 SHA-1: 7023d940dfa21429fcc6211fc63587a5ecfd015c SHA-256: dd5c22d076a6c5e9c22d57ac6f49fc241fe016d797b1383682ee2ee6b529eba8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an Excel file containing VBA macros. The macros utilize CreateObject and CallByName functions, indicating an attempt to execute arbitrary code. The Workbook_Activate subroutine modifies cell values, and the Worksheet_Change subroutine attempts to decode a string from document properties and execute it via a call to CreateObject using the PageSetup.CenterHeader property. This suggests the macro is designed to download and execute a secondary payload. The specific payload or its destination could not be determined due to obfuscation and lack of network indicators.

Heuristics 3

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8b4f99414d66b3cae2696977541f556d2c5f240b265bc1a5ee0708fa0081e179		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.