Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f36593007cc34f95…

MALICIOUS

Office (OLE) / .XLS

73.0 KB Created: 2022-12-20 09:55:23 First seen: 2022-12-20
MD5: 3e289d6b132dbc93b8b90898669bc347 SHA-1: e12478ae49cfdf898fc50fa3c1cf77d0a1c45070 SHA-256: f36593007cc34f95cba32322a6ce2d7ee1b44c4c15fca9355b1af474b890d715
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The XLS file contains VBA macros that utilize WScript.Shell and CreateObject, indicating an intent to execute arbitrary commands. The presence of a Shell() call strongly suggests the macro is designed to download and execute a second-stage payload. No specific family could be identified from the available heuristics.

Heuristics 6

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
3971fec43fd9256fef3de7cc73deab87b5f2252ca1607f7982a8a0a8340c79a7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4879 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.