Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e1ec4308fa95fda7…

MALICIOUS

Office (OLE) / .XLS

146.0 KB Created: 2019-11-04 20:04:32 Authoring application: Microsoft Excel First seen: 2022-12-07
MD5: 2d8a934e863f0c73c1b2d96b2a98053e SHA-1: b146ad3bc01b9db56c51e423ee39d1267d56c193 SHA-256: e1ec4308fa95fda7ef44f3843de2dddc1a81b375a3c15e19ac4ed0c79105875e
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer

The VBA macro contains a ShellExecute call and a constructed string that, when decoded, forms a PowerShell command. This command is designed to download a script from 'http://concretium.pt/xx/vvv/ii.ps1' and execute it with bypass execution policy and hidden window style. The embedded URL and the PowerShell execution are strong indicators of a downloader or droppper malware.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://concretium.pt/xx/vvv/ii.ps1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4c55c54f8ebb99a3382d78d8efc13dec82425f648e2fe4968c2332bc3e20e31a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1909 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.