Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f94b1ce80a72cb88…

MALICIOUS

Office (OLE) / .XLS

246.5 KB Created: 2016-01-13 20:07:58 Authoring application: Microsoft Excel First seen: 2023-08-22
MD5: 9eb8e2cdbf7fd8532315cfb0f9163d77 SHA-1: 122a1ce7ddf6adaf31138c845c7533367b324bb7 SHA-256: f94b1ce80a72cb88c6565ad901fd7caca54a00d0cb20dc36326904f2ca2504db
348 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that are automatically executed upon opening via the Workbook_Open event. The script uses URLDownloadToFileA to download a second-stage payload from the reconstructed URL 'http://www.00;tquui/psfebnputjsbwftfuspobsu/chigevt0tuofuopdsk0npd' to the user's temporary directory and then executes it using ShellExecuteA. The document body displays a fake invoice or SWIFT message with a prompt to 'Enable content', which is a common lure to bypass macro security.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • ClamAV: Xls.Malware.Valyria-10028013-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10028013-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
04f1ff46a3c8a5d29d1d35216f50e5acbdd6b82e7ccf892e15665984a7991f3d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8337 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.