Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fc83217e920d36d6…

MALICIOUS

Office (OLE) / .XLS

75.0 KB Created: 2023-01-26 07:44:43 First seen: 2023-01-31
MD5: fe126e58d4aa4f8591254b0ec18bad59 SHA-1: 4b308e030f4f0769665d96c4d4e2e0d33dae0b07 SHA-256: fc83217e920d36d6b322812d129919b67c7d241a7c77111ddf24d49b4c1b8cec
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The VBA macro contains calls to URLDownloadToFileA and Shell(), indicating an intent to download and execute a second-stage payload. The macro reconstructs the URL '2ht40t1p11s4:6/12/3d6op66ler90to8ol1.c4o0m4' and uses 'rundll32.exe' to execute the downloaded file. The use of Environ() suggests it may attempt to save the payload to a user-specific location.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
610678525f680629a452c08992aa06919dfc565e5b8524fa718fe59d9d46112b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1771 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.