Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 11acf334c77ed4ab…

MALICIOUS

Office (OLE)

1.79 MB Created: 2013-08-29 11:58:33 Authoring application: Microsoft Excel First seen: 2015-09-16
MD5: 4005de3095651da8ec170f0658e78ad1 SHA-1: dd503b9b48454b07e25621602f59f2ace63d1f29 SHA-256: 11acf334c77ed4abfda620404972933baa79c7c209a636f964480147e41966d7
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as a legacy XLM macro-virus family marker, specifically using the Auto_Open function to execute malicious code. The heuristics indicate it contains a payload URL and is designed as a lure to enable content, which is a common tactic for macro-based malware. The embedded URL 'http://prod.europe.subsidia.org/supplier/searchSupplier.do' is likely used to download and execute a secondary payload.

Heuristics 5

  • XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LURE
    Workbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prod.europe.subsidia.org/supplier/searchSupplier.do Referenced by macro
    • http://192.168.1.22/TANHOPReferenced by macro
    • http://192.168.1.22/DocumentsReferenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.