Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f9b92212d4dbdbdd…

MALICIOUS

Office (OLE) / .XLS

120.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2022-08-25
MD5: 3af8864299165b527737ecb59ec7f47b SHA-1: 7199e298af1f0f3273a3e6d9b4186805211c58b5 SHA-256: f9b92212d4dbdbddabd88e8e49a5672b5a5bb8fc29243628578fd037de26fcfa
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The Excel file contains VBA macros that leverage ShellExecute and CreateObject to download and execute a JavaScript payload. The macro renames a temporary file to 'sfoWQ.js' and then attempts to open it, indicating a downloader functionality. The 'INVOICE' text in the document body, combined with the macro's actions, suggests a lure to execute malicious code.

Heuristics 5

  • ClamAV: Xls.Malware.Valyria-10002078-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10002078-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d0a00b1c68aa2969e4e4feddd5b01d356520f4b424958299e2b34dac740772a4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1415 bytes
ole10native_00.bin
4805f380f5f5c4263231a96898f381877afc0f04ef6635dc9b6cdc0c940b8384		 ole-package OLE Ole10Native stream: MBD0E02868F/Ole10Native 1253 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.