Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 eb9509c453a80869…

MALICIOUS

Office (OLE) / .XLS

924.0 KB Created: 2021-05-19 14:23:50 Authoring application: Microsoft Excel
MD5: a7b63000938bbeb31722acac4a96b004 SHA-1: 89f78b3028d7028a5b3f23f4eb78764abc205ab0 SHA-256: eb9509c453a808694eb50c18101558f492f16e6fdb3f349686da3d7c627311c9
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The sample is an Excel file containing a Workbook_Open macro that utilizes WScript.Shell to execute commands. This strongly suggests the macro is designed to download and execute a secondary payload from one of the embedded URLs. The specific URLs extracted are the highest priority indicators for further investigation.

Heuristics 9

  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL https://supereclinica.com.br/gestor/ckfinder/plugins/fileeditor/codemirror/Mad1mAVF6Vla1IY.php
    • https://coeniglich.de/oVWjOr1Z3Z.php
    • https://supereclinica.com.br/gestor/ckfinder/plugins/fileeditor/codemirror/Mad1mAVF6Vla1IY.php$
    • https://donboscoschoolbd.com/fdoMMqJznv.phpU%7QLIA2�
    • https://bypuzzle.com.br/avada/wp-content/themes/twentyfifteen/css/5clwWvDJgRsTKvW.php$A-c:Xe@j=
    • https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.phpfijLJl3u@cTsR�
    • https://smtp.computeraccess.co.in/8Lj6KntHS.php5
    • https://agentsv2.ivm.mv/user
    • https://proterra.med.br/wp-includes/js/tinymce/themes/advanced/Zg1TbiK17uVn.php;liQy
    • https://clinicasaludmasculina.com/phone/css/AvGj1IrWszA5cUW.php;uwkPvK
    • https://bonsventosnautica.com.br/xhpxAHxeWeE6lH3.php(@r%:yL
    • https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.phpfijLJl3u@cTsR
    • https://donboscoschoolbd.com/fdoMMqJznv.phpU%7QLIA2
    • https://agentsv2.ivm.mv/user_guide/_static/css/rjWMenNTq.php#ty#W#ty#W#ty#W

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0274c83f86cb1dcb4d7fecf41b4b19a44dfa4626688feddb83b4c6dbc8e57164		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 145415 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.