Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e0a1ffff9d5c6eaa…

MALICIOUS

Office (OLE) / .XLS

50.0 KB Created: 2023-02-07 14:08:55 First seen: 2023-02-08
MD5: c7311e02d33c2a95239fd8037e6be66f SHA-1: f08b8bde2d3e58c3f5ab74df6f7c2b0d341c3cfb SHA-256: e0a1ffff9d5c6eaaa2e57548d8db2febbe89441a76f58feae8256ab69f64c88b
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The critical OLE_VBA_HTTP_DROP_EXEC heuristic indicates that the VBA macros are designed to download a file from a URL and save it to disk. The script reconstructs the URL as "http://12b5bp0li78ne3.c4o0m4" and uses Shell() to execute the downloaded file. The use of CreateObject and Shell() calls strongly suggests a downloader or droppper functionality.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
62d8586f12a929bffff111fb53112605ccf30ec47b77aa9ff469415a48926dc5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.