Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 209ccd6701b0e8ef…

MALICIOUS

Office (OLE) / .XLS

2.78 MB Created: 2003-11-06 08:44:16 Authoring application: Microsoft Excel
MD5: 567af4215291eaa2ee070f39637dd48f SHA-1: 1aa80b3f080e4f5178caa580561b322f2f6fbf39 SHA-256: 209ccd6701b0e8efc57af60b3040d55f3491e991016bcd6173d4f6429c211034
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a Workbook_Open macro, which is a common technique for initiating malicious activity upon opening. The macro uses VBA p-code with execution tokens, specifically CreateObject, indicating it's designed to run arbitrary code. While the exact payload is not visible, the presence of these indicators strongly suggests the macro's purpose is to download and execute a second-stage payload. No specific family could be identified.

Heuristics 3

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bea12ae217a61a21315144bfa7a57553008e731e10733fbe04679dec8fe01fbf		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 439895 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.