Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ef2cd6b4fd4fbeed…

MALICIOUS

Office (OLE) / .XLS

62.0 KB Created: 2022-01-26 08:47:04
MD5: ac50c89f3656c1386a6c43ca01a6156d SHA-1: 5a05155043902ec4b60bfb75e5fa2996b04a806d SHA-256: ef2cd6b4fd4fbeedc663f59c5196f63338b9f66242230d15f70cdaeba3bfde54
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an XLS file containing VBA macros. Heuristics indicate the use of API calls such as URLDownloadToFile, LoadLibrary, GetProcAddress, VirtualProtect, and CreateProcess. The VBA script explicitly declares and uses URLDownloadToFileA, LoadLibraryA, GetProcAddress, VirtualProtect, and CreateProcessA, suggesting it downloads and executes a second-stage payload. The presence of these API calls strongly indicates a downloader or droppper functionality.

Heuristics 8

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
06002c1b7e9a7c5d35e62b2a74ef4b083c6f287c156b9d3c7d12a98ef6b8e8f5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4238 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.