Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1a2d3cd8c16b920e…

MALICIOUS

Office (OLE) / .XLS

3.41 MB Created: 2005-08-03 14:44:35 Authoring application: Microsoft Excel
MD5: 768637d6157300bbe1e8210823d5c315 SHA-1: 71c7603dfa8b7796a01885f2c565c027c43f1838 SHA-256: 1a2d3cd8c16b920ec5ba66af0abf1720d169f57135846b5b4db81605f4cd3d9b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing a Workbook_Open VBA macro, which is a common technique for initiating malicious activity upon opening. The macro source is obfuscated, and static triage signals indicate suspicious VBA Chr string obfuscation. While no specific IOCs like URLs or hashes were extracted, the presence of the Workbook_Open macro and obfuscated VBA code strongly suggests an attempt to execute arbitrary code, likely for downloading and running a second-stage payload.

Heuristics 3

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2c556139adafb6fb8e66dc87181597a34b7e4acf2ff7de60532728f01d3f5fe0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 119109 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 Chr/ChrW string-construction calls.
ole10native_00.bin
c387ff643fb6231d73759879790c90990c1aa646e1f7764a0afe38bc47e9bf60		 ole-package OLE Ole10Native stream: MBD000A405D/Ole10Native 858628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.