Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f6982187f88a3bad…

MALICIOUS

Office (OLE) / .XLS

231.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 8d4826b49eb3b4eeae0ebf408fea8f90 SHA-1: 03582039ef2c0a5d24b2978b659fec1980ca6744 SHA-256: f6982187f88a3bad2fda7a66fe2f896ae1f5a61efd5dfb0e93c8140d9495ae85
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is an Excel file containing VBA macros. The Workbook_Activate subroutine is triggered upon opening, which calls a function that uses GetObject and CallByName. These functions are commonly abused by macro-enabled malware to execute arbitrary code. The script appears to construct a command string by concatenating values from specific cells (C4, C5, C6, C7, C8) and then executes it. The specific payload and its ultimate destination are not fully discernible due to obfuscation and reliance on external cell values, but the intent is to download and execute a second-stage payload.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ee4a3157e90018db0c981c5f81a82c689548c03d819e244fe8900ff6cddd48fe		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1575 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.