Office (OLE) malware analysis — malicious · 10d6302abdefd8d0

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-25 10:32:48 Authoring application: Microsoft Excel

MD5: 9374cccdc93fe8d6c3642ce50d7be7fb SHA-1: 52d24ecc2c8a1a9f644df18b390452ee044be871 SHA-256: 10d6302abdefd8d048f74dec268794bad7ebf5b5770abd17addfd934c9179b3f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros with an Auto_Open defined name, which is a known technique for executing malicious code. The macro sheet contains a reference to a dangerous formula API, suggesting it is designed to run arbitrary commands upon opening the document. No specific family could be identified, and no direct IOCs like URLs or hashes were extracted from the macro content.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `40ea9d8c773b017451c9b5dffa9694fcbf0142963c52e88663496a322f79ecf6`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6449 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.