Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f7ba4648cfc37732…

MALICIOUS

Office (OLE) / .XLS

479.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-04-02
MD5: 02d9a59c3300a4a005d2650f636819fb SHA-1: 19d071ef00181a170e979ff7f6014ad03f89ce03 SHA-256: f7ba4648cfc37732e673a55dbde36390a21fb56aebf31284b6580ab73e599e3d
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1071.001 Web Protocols

The file contains VBA macros that, when executed, construct a base64 encoded string. This string decodes to a PowerShell command that downloads and executes a VBScript named 'New Payment Remittance.vbs' from 'http://2.532.74.69//ptth'. The VBA code also creates a batch file named 'cqjJQ.bat' in the user's AppData directory containing the decoded PowerShell command and then attempts to open this batch file using GetObject. The GetObject call and Environ() call heuristics further support this execution flow.

Heuristics 3

  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d422f65bde097b0a43f8cc4e3c6452e38c00dfe75cbfafd05e97c22a2ffe8cf2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.