Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f2027e57addce1b3…

MALICIOUS

Office (OLE) / .XLS

42.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-05-09
MD5: d7763394097db2c01a48e09cfb5b893b SHA-1: ccc4372703a73af073f7d83a27e00a8c238f3f05 SHA-256: f2027e57addce1b3749967082d9a6ebbccbc335652c6c9246d2bf14aad42f00b
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel file containing VBA macros that are designed to execute a PowerShell command. This PowerShell command reconstructs and executes a script that downloads a second-stage payload from 'http://go.to.avoc.lib.sbv.is:8080/nib/poc.vbs' and saves it as 'notepads.vbs' in the user's temp directory. It also attempts to rename an extracted file to 'vrOCA.js' and then execute it. The script also includes a registry key for persistence: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7fc6e8ddec4da3560b803de03db25bead07c4cbb8cdd983515f157e76129d0e7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1269 bytes
ole10native_00.bin
480f7191f3f9a0ea2981f7217c597d9d2d2cc3575a5cd62ef3d829367b6e39ab		 ole-package OLE Ole10Native stream: MBD02E2E892/Ole10Native 1078 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.