Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0e36504552c6734a…

MALICIOUS

Office (OLE)

439.0 KB Created: 2009-10-30 11:28:20 Authoring application: Microsoft Excel First seen: 2014-04-13
MD5: 89e820391288bb2d1504deccce4f5358 SHA-1: ebd8558baa8782deb321e2df0ad21c0181efbef8 SHA-256: 0e36504552c6734a5d13aa346cd533b75ad67d44978401a71386265ae0a85721
82 Risk Score

Heuristics 3

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 389 bytes
SHA-256: e5850c642f81ead8cb4d8eb42fbba65b5c87536f65a43cf8e4f3e60346100fd9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "SecSignControl1, 287, 0, NTKOSecSignControlLIB, SecSignControl"