Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e3dd6a2ecf7a9672…

MALICIOUS

Office (OLE) / .XLS

47.0 KB Created: 2018-12-06 20:43:11 Authoring application: Microsoft Excel
MD5: 9e697b032acf72e146f5c76de9d02c01 SHA-1: 77355c0c5918e1ec670f7649ca2f1f36b8c48385 SHA-256: e3dd6a2ecf7a96725b12d66d7144c9ebf5c8578541433e87937bd801042b3498
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The XLS file contains VBA macros, specifically a Workbook_Open macro that utilizes Shell() and WScript.Shell. This indicates the macro is designed to execute arbitrary commands upon opening the document. The presence of these critical heuristics strongly suggests the file's purpose is to download and execute a second-stage payload. No specific family could be identified.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
546d07adae3fdfb884f12b7c561945e6de2ae0891da4abf554eac419871a8664		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 28271 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.