Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 17a1724089f35523…

MALICIOUS

Office (OLE) / .XLSX

2.56 MB Created: 2022-07-12 07:10:17 Authoring application: Microsoft Excel First seen: 2022-07-14
MD5: f23567c93af8937d1e6f61c992b90252 SHA-1: f92a484c1370aa954bdfc72f541e5639ded42d78 SHA-256: 17a1724089f35523da32a1273f8fb4c672db37af2ed62cd28c79bf2e4ad1d576
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy Excel 4.0 (XLM) macros, indicated by the 'OLE_XLM_AUTOOPEN' and 'OLE_XLM_LEGACY_MACRO_VIRUS' heuristics. These macros are known to be used for executing arbitrary code, often to download and run further malicious payloads. The presence of the 'XL4Poppy' marker suggests a known legacy macro-virus family.

Heuristics 2

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.

Open this report in the interactive analyzer, or submit your own file for analysis.