Office (OLE) malware analysis — malicious · 1af6e46c1d6e2be6

MALICIOUS

Office (OLE)

357.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-05-07

MD5: ef9581f2872866b4fb76f3e254a5b8ce SHA-1: 164a636213ff1b6bf8904fec472bb7ce660a4aac SHA-256: 1af6e46c1d6e2be624629175ff4c02128172c43108563e4b0691fde5fc9e2003

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic firings indicate the presence of legacy Excel 4.0 (XLM) macros, specifically identified as a dropper by ClamAV. This suggests the file's primary purpose is to download and execute a secondary malicious payload. The document body contains a large list of Chinese city and administrative region names, which is likely a lure or distraction, and does not appear to contain actionable instructions.

Heuristics 3

ClamAV: Xls.Dropper.Agent-5896142-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-5896142-0
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.