Office (OLE) / .XLS malware analysis — malicious · 07f20cb8478c3e5f

MALICIOUS

Office (OLE) / .XLS

447.0 KB Created: 2008-02-07 13:02:12 Authoring application: Microsoft Excel

MD5: f719c4be803b62f9943518a24cb4fd70 SHA-1: a20af255fe5f080a86bb18e1cd0b81754e0395f6 SHA-256: 07f20cb8478c3e5f3827cb85b79f24682e0682e2af537a045efb7e233e9843d8

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file is an Excel spreadsheet containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro references cmd.exe, indicating an intent to run system commands. The presence of a database connection string within the document body suggests potential data exfiltration or manipulation, though its direct use by the macro is not confirmed. The macro's primary function appears to be executing arbitrary code, likely to download and run a second-stage payload.

Heuristics 5

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e1aed2de7831f30ee6cf221ef1de3c8be7dbf539e39e43f5f7613f7b31f18a35`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	36936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.