Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e74d47f819f49d9…

MALICIOUS

Office (OLE)

101.0 KB Created: 2020-04-01 11:48:22 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: baec877321d82fa5be0dc3232cee6a25 SHA-1: 4e5c56982f6b411295490d23799d64b543715bdc SHA-256: 1e74d47f819f49d96f4c73588968c93c7d023eb38e15bae7474cea0d7f0e4fc1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel 4.0 macro sheet that is encrypted, preventing direct analysis of its content. Heuristics indicate the presence of an AutoOpen macro, commonly used to execute malicious code automatically when the document is opened. The encryption and presence of macros strongly suggest a malicious intent, likely to download and execute a secondary payload.

Heuristics 3

  • OLE metadata lists many Excel 4.0 macro sheets high 2 related findings OLE_XLM_DOCPROPS_MACROSHEET_INVENTORY
    Workbook contains a BIFF Excel 4.0 macro-sheet marker and its clear OLE DocumentSummaryInformation stream lists many MacroN sheet titles. This is a useful static signal when FILEPASS encryption prevents formula extraction from the workbook stream.
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.