Office (OLE) / .XLS malware analysis — malicious · f7e2dc3f6451eddb

MALICIOUS

Office (OLE) / .XLS

34.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-03-22

MD5: bcfe5f13dae18be7459424d06205aa2d SHA-1: 51ef44dd1fc380cef5f0f2865c24f4e8a2b8113a SHA-256: f7e2dc3f6451eddbbb3e81b48ec91b859e1ea52109b08e84a51f4fd1051cd21b

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The VBA macro code within the sample utilizes ShellExecute and GetObject to manipulate embedded objects. It renames a dropped file from 'ZJTTv.txt' to 'ZJTTv.js' and then attempts to open it, indicating a likely intent to execute a JavaScript payload. The script also appears to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The use of Environ() suggests dynamic path construction, potentially to AppData, but the specific path 'C:\Users\Public\' was reconstructed from the script's logic.

Heuristics 4

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `4d6992dcba03711ba672e7f0b3d573b7902193c42880c3e2706eea95e68d1e91`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1143 bytes
`ole10native_00.bin` `bb9e92e65496081d4334a68e96ba52a60d2ae904127a26fc53cb00c127802479`	ole-package	OLE Ole10Native stream: MBD02343425/Ole10Native	1108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.