Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 17283e500dd3ccbf…

MALICIOUS

Office (OLE)

3.67 MB Created: 2000-05-02 12:01:22 Authoring application: Microsoft Excel
MD5: d3c006badd2eddd31468774a8df4cbfb SHA-1: b6f422d9c407b9e1d38ca1033ae61a7a47daf9aa SHA-256: 17283e500dd3ccbf117a778add9d1e57f1ead25947d804ddfd9b82e96c173b4a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains critical heuristic firings indicating the presence of legacy Excel 4.0 (XLM) macros, specifically markers associated with the 'XL4Poppy' and 'Normal_MacroVirus' families. These macros are known to be used for executing arbitrary code, often to download and run further malicious content. The presence of a NOP-equivalent sled further suggests shellcode execution.

Heuristics 3

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
0823dada47768c3bc5e0170015ff256fae5adae80944ef398aea0e657b483a68		 ole-package OLE Ole10Native stream: MBD00040EED/Ole10Native 69572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.