Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fdc9d1886a3cbe77…

MALICIOUS

Office (OLE)

124.0 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: 420100a0328956e72d444716b7dc1172 SHA-1: a253a491a72b4df318b7064b88e588cea083201e SHA-256: fdc9d1886a3cbe770574835abf3a46369b73259d6bc16054bd3cf6ec8497c121
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The VBA macro within the Excel file utilizes `CreateObject` to instantiate `Shell.Application` and `ShellExecute` to run a command. The obfuscated `pCse` function reconstructs the string 'powershell' and the `tinxIr` function uses it to execute a command that likely downloads and runs a second-stage payload, as indicated by the `ShellExecute` API call.

Heuristics 3

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
84c89838fd13f429787908f92b932168d57be4481338fad76c09c373cc0b321c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1410 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.