Office (OLE) / .XLSX malware analysis — malicious · 14ebf6a7ca36c88a

MALICIOUS

Office (OLE) / .XLSX

3.86 MB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel First seen: 2026-02-25

MD5: ce283f85a1d80763462803150cd88267 SHA-1: f5a129ba4141361ca266950dc4adcb2c548aa949 SHA-256: 14ebf6a7ca36c88a60f822b08a956646aa1e44d4adb5db79e6ceec4b1fb66a9a

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Excel file containing VBA macros, specifically a Workbook_Open macro. This macro utilizes the CreateProcessA API, indicating an attempt to execute a secondary payload. The ClamAV detection name 'Doc.Dropper.HexEncodedEXEHeader' further supports the dropper functionality. The exact nature of the dropped payload is not fully discernible due to script truncation, but the intent is to execute external code.

Heuristics 6

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7aff7be05b483d522bc9ff57a3e19bafcb6e9b1cef5faa59af0fe62d9c65438b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4001 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.