Office (OLE) / .XLS malware analysis — malicious · 04a7a9857e2c3552

MALICIOUS

Office (OLE) / .XLS

917.0 KB Created: 2010-03-04 08:37:59 Authoring application: Microsoft Excel

MD5: 5877b3b1db86e918c85cabcf5fd5d1d4 SHA-1: f9e67f3f9ead56f93ac71d4be7ae3f724b8e7177 SHA-256: 04a7a9857e2c3552533be6614e4ccd61ae7b54948b370d13f3e94a927499e61c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristic firings. The Auto_Open macro is designed to execute arbitrary code, and the presence of markers like XL4Poppy and HPDung suggests a known macro-virus family. The macro likely attempts to download and execute a second-stage payload.

Heuristics 2

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.

Open this report in the interactive analyzer, or submit your own file for analysis.