Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fcc55ce7ed8adcf6…

MALICIOUS

Office (OLE) / .XLS

67.5 KB Created: 2018-12-06 20:43:11 Authoring application: Microsoft Excel
MD5: 0e3fccb0710d5f645343f0e2085921f2 SHA-1: e9122949ab988638db6d8c0af8817b6ea9aa32a3 SHA-256: fcc55ce7ed8adcf68a39bcd131de11e4be7b55899f35614fc67b4ce6ae0d6c0f
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros. The Workbook_Open macro is present and uses WScript.Shell to execute commands, indicating it's designed to run arbitrary code. The 'Haga clic en "Habilitar" para mostrar este documento en su formato de visualización.' text suggests a social engineering lure to enable macros. The critical OLE_VBA_SHELL and OLE_VBA_WSCRIPT heuristics confirm the use of shell execution via WScript.Shell, likely for downloading and executing a second-stage payload.

Heuristics 8

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7cce812ebfb34bbe7fa2009ab510999948d7daac8b746e77b9ba59b363ebc8c7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12981 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.