Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f1a61a31c172f4b2…

MALICIOUS

Office (OLE) / .XLS

38.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 3c889ce363ccd94e6a3248dc56d8296a SHA-1: b59fe633bf7f587f461b8e9c6db321d3f62f6019 SHA-256: f1a61a31c172f4b21d34d099ecf544609dfc528a981ff8572e7b4c393bef84a8
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The VBA macro code within the XLS file attempts to copy an embedded OLE object and paste it into the user's AppData directory as 'lRcKD.js'. It then waits for a file named 'lRcKD.txt' to appear in the same directory, renames it to 'lRcKD.js', and attempts to open it. This indicates the macro is designed to download and execute a second-stage payload, likely JavaScript, from a location it controls or expects to be populated. The use of ShellExecute and PowerShell heuristics further supports the execution of external code.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ce43349874d242fb4f4e887b9add1cd93d7c0c6946b5ba483981d92c87a7b00b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1298 bytes
ole10native_00.bin
bb7f82bca97d95d07ddd49fe9035e902680dc0b283e177dfc3d2cc803f2d1ea9		 ole-package OLE Ole10Native stream: MBD060D40AC/Ole10Native 1083 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.