Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f40b0b7ba6036c4d…

MALICIOUS

Office (OLE) / .XLS

34.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-02-15
MD5: eac3106e5d277c876f66b4966f55252c SHA-1: a1e51a5397f866fab00181ec87a69ba06d667aa5 SHA-256: f40b0b7ba6036c4d53d9572c1aa00d4014ba40a66eb16abab0d75f48ab8057bd
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic

The VBA macro code within the sample utilizes ShellExecute and GetObject to paste an embedded object into the AppData directory, renaming it to 'hXYqe.js'. It then attempts to execute this JavaScript file. The presence of ShellExecute and PowerShell references, along with the macro's behavior of dropping and executing a script, strongly suggests a malicious intent for initial access or payload delivery. The script's execution path is clearly defined by the VBA code.

Heuristics 5

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
89849517434cad3b16b8b1cff4dcffda58028e8815aab84b26b7846a7411b05f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1298 bytes
ole10native_00.bin
f80a67cb126c19bfb7064e18f57d514544a6dd9a1f520ff8db78d6de387e4b45		 ole-package OLE Ole10Native stream: MBD0669F823/Ole10Native 1089 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.