Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f2395feb69261800…

MALICIOUS

Office (OLE)

1.55 MB Created: 2005-06-29 12:09:49 Authoring application: Microsoft Excel
MD5: 5c87557688b8769c0710d57a2687a6d6 SHA-1: 83d65e1b9fd8eeb5a0d05b9b2bdeddc9eb68bdb4 SHA-256: f2395feb69261800a2b81d925c27938273cafa99c0a86049b898a152083f0eac
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file contains a large VBA macro, indicated by the OLE_VBA_MACROS heuristic. The presence of a critical OLE_VBA_SHELL firing suggests the macro attempts to execute external commands. Additionally, a high OLE_VBA_CREATEOBJ firing points to the creation of objects for potentially malicious purposes. The extracted artifact 'macros.bas' is the source of these macros. The overall intent appears to be the execution of a second-stage payload, though the specific mechanism is not fully detailed in the provided evidence.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
94e5e6588da1fd81c6a45b7a4857a602aa12adfe87c7b0805e927f9d595ce0b5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 310960 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 464 Chr/ChrW string-construction calls.
ole10native_00.bin
8493d3ba6dbb604d8ccf43e7af097a687f66ec39f15c4de11e9d0509284bcfe4		 ole-package OLE Ole10Native stream: MBD00672C13/Ole10Native 4132 bytes
ole10native_02.bin
4ba16879466705089b1f9e5df39a53f32ad9eb826639fe49248e4d06805cd171		 ole-package OLE Ole10Native stream: MBD011EC50F/Ole10Native 4100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.