Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f107f93896e13db2…

MALICIOUS

Office (OLE) / .XLS

1.17 MB Created: 2000-06-12 09:04:32 Authoring application: Microsoft Excel
MD5: 06dc8807dc9baf41e15bc7da724ebd52 SHA-1: 7871170e3b19c8e482448acf093cbd36cfda3800 SHA-256: f107f93896e13db2c3f260c95675b34f2badc01fe9af91c828ff54daf722cd46
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel spreadsheet containing VBA macros, indicated by the OLE_VBA_MACROS heuristic. The SE_ENABLE_LURE heuristic suggests the document prompts the user to enable macros, a common social engineering tactic. The OLE_VBA_CREATEOBJ heuristic indicates the macros likely attempt to execute code. While no specific malicious URLs or scripts were extracted, the presence of macros and the lure mechanism strongly suggest a malicious downloader. The document body content appears to be a list of construction or repair materials and services, which could be used to create a convincing lure.

Heuristics 4

  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f128aaaf9de1522c63adc7fafe9985dc356f095136ae7f90d9d9b9f652ef9f42		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 57968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.