Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f89646ee6797d68b…

MALICIOUS

Office (OLE) / .XLS

295.0 KB
MD5: 6f643d7443861071e92580d55a9f2dbd SHA-1: dcfd68d365a83aac206df6d9cbe0c850267d7694 SHA-256: f89646ee6797d68bb17646573b2e15829cbc8f86516173d941bbd1aec89251cb
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample is an Excel file containing VBA macros that reference PowerShell. The heuristics indicate a high likelihood of PowerShell execution and the presence of suspicious encoded blobs within the document body. The embedded URLs, though marked as benign, are often used in initial delivery stages for macro-enabled documents. The primary attack vector appears to be social engineering via a malicious document, leading to the execution of PowerShell commands.

Heuristics 6

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/rouki555/lnk/raw/main/ud.bat
    • https://github.com/rouki555/dcm/raw/main/Document.zip

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
01148fea30f84204471d8377cf0ad1aa9762d322c49f4d55386ca3e43ddb465a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 302038 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.