Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f067740a20ca2f71…

MALICIOUS

Office (OLE) / .XLS

112.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-26
MD5: cbbbf27e54152323cfc193108664e1c0 SHA-1: 8e886ddee08fd3427022dbb6cbe18e37df8af8e9 SHA-256: f067740a20ca2f71ce504138b1ff80906b85f7fad232feacf74305649cd21277
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The VBA macro in this Excel file is designed to execute a payload. It uses `CreateObject` to instantiate a Shell object and then attempts to paste content into the user's profile directory, specifically aiming to create a JavaScript file named 'GZNGX.js' and a text file 'GZNGX.txt' in the AppData\Roaming folder. The `ShellExecute` API reference and the invoice lure heuristic indicate a malicious intent to download and run a second-stage payload.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
64ee91e54457d38a6c3f67a28cd35e678a18d490ef720e67e02b126864df5045		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1415 bytes
ole10native_00.bin
f1668d90fdc3876111e63c7eee2d1fa18bdfe367898bef221141f95780053f0e		 ole-package OLE Ole10Native stream: MBD0E31727F/Ole10Native 1253 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.