Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 efebf5d864b6840e…

MALICIOUS

Office (OLE) / .XLSX

136.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 05b9dd05e497bf7a8935370954ef1e8b SHA-1: 6dfb9d589d521b51bcaeeccdcf46d5070e6872b9 SHA-256: efebf5d864b6840e519d1a02d4fa84fe97f2a4e576d03442b9fdb0c57afa19b8
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros, including an Auto_Open macro, which is a common technique for executing malicious code upon opening. The macros appear to be designed to manipulate the spreadsheet's appearance and potentially download additional content from the provided URLs. The presence of Auto_Open and Auto_Close macros suggests an attempt to execute code during the document's lifecycle, likely to download and execute a second-stage payload from one of the embedded URLs.

Heuristics 4

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://188.165.62.61/
    • http://79.141.171.170/
    • http://185.244.150.138/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
954b17b40618c472edefb57d86095b1fb0c0b22bc019811f22885378cc130af1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.