Office (OLE) / .XLS malware analysis — malicious · 04c2d16ee5463453

MALICIOUS

Office (OLE) / .XLS

148.5 KB Created: 2020-06-22 16:20:38 Authoring application: Microsoft Excel

MD5: f373533d3c6c8acc02493933a9fa72a2 SHA-1: 10d2304ad3627fdedda044a01ee27e54909d1c7d SHA-256: 04c2d16ee5463453c04a6b4645f6a36f2485d91bd86fb18a9ed20446fdc57728

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Excel 4.0 (XLM) macro-enabled workbook. It contains an Auto_Open macro, which is a common technique for executing malicious code upon opening. The document body explicitly instructs the user to 'Enable Editing', indicating a lure to bypass macro security. No specific URLs or executable payloads were extracted, but the presence of an Auto_Open XLM macro strongly suggests it's designed to download and execute a secondary payload.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `9ffc6e7706584920c5a22bc19c86153d7507b6ffc200b00e4fc1d8af3095758a`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	86322 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.