Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e90a5c6e075fb24a…

MALICIOUS

Office (OLE) / .XLS

54.0 KB Created: 2022-11-08 07:28:13 Authoring application: Microsoft Excel First seen: 2022-11-09
MD5: a9fb3c7f1f686479bce389271785f059 SHA-1: cc9011494f8f3525fc5c3045a3ade7471c49417f SHA-256: e90a5c6e075fb24aa414300aeadc59606a1ed18b987839ec3dfe2a9370f827f3
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that utilize WScript.Shell and CreateObject to download and execute a second-stage payload. The macro code attempts to obfuscate the download URL by concatenating strings and uses a function that appears to fetch content from a remote source. The document body text '2022.DHL' suggests a lure related to package delivery services.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c1ff1a2d1054fe1a8a113d6651c29552579fbbc7bd21d2b7c911c234757d5943		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3839 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.