Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e97e626afb095ff8…

MALICIOUS

Office (OLE) / .XLS

406.0 KB Created: 2021-02-15 19:29:50 Authoring application: Microsoft Excel
MD5: f6677bdf0d9fcdc58a921730972ae752 SHA-1: 7f8a1ad272cded9e58e0e82d90f28496e1faf572 SHA-256: e97e626afb095ff88a2f68b6774bc83f31a1c0edf6bf27f4e70de43419d0793a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059 Command and Scripting Interpreter

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros, which is a strong indicator of malicious intent. The Auto_Close macro combined with the Shell() call suggests that arbitrary code execution is triggered automatically upon closing the document. The NOP sled further supports the likelihood of shellcode execution. No specific family could be identified, but the execution method is clear.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d62486506f0539ac724b71af1b0ab0bc8235fae017f0aef95df8eeabbc38be68		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4527 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.