Office (OLE) / .XLS malware analysis — malicious · 205177df058bed1b

MALICIOUS

Office (OLE) / .XLS

432.5 KB Created: 2021-02-03 15:28:44 Authoring application: Microsoft Excel First seen: 2022-12-05

MD5: 5a421b63e5b422cd9b78a259a09f918d SHA-1: e9331ea44a0d3b00fc124ce37b9b94a5613a7608 SHA-256: 205177df058bed1bebd7dbfeb9d44ebfa9f08450987db9c5de0f334a021562bb

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The file is an Excel 4.0 macro sheet, identified as encrypted and containing an auto-open macro. It impersonates a document signing service, likely to trick the user into enabling macros. No specific URLs or executable payloads were extracted, but the presence of an encrypted macro sheet and the DocuSign lure strongly suggest a malicious intent to download and execute further stages.

Heuristics 4

Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET

Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Document signing service impersonation lure medium SE_DOCUSIGN_LURE

Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `544daaabe44d28a0d90032cc3a030b8ea0c58bb49ed123e4b89277098cd2b245`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	726 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.