Office (OLE) / .XLS malware analysis — malicious · 218e287a6f28f900

MALICIOUS

Office (OLE) / .XLS

245.6 KB Created: 1999-12-24 16:36:33 Authoring application: Microsoft Excel

MD5: e163ab69a99e94fb131aa7d7a93ce24e SHA-1: a6862d04cc9e4697b9a6f68702248a64060a10a8 SHA-256: 218e287a6f28f90014c9edd25e50c7fbf8807c6d4d0d0f40e8ec7c33fecef831

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.003 Windows Command Shell T1140 Deobfuscate/Decode Files or Information

This XLS file contains both VBA and Excel 4.0 macros, with a Workbook_Open subroutine that appears to initiate a game interface. The presence of XOR-encoded strings and an appended payload suggests the macro is used to deobfuscate and execute further malicious code. The primary intent seems to be a lure, possibly to distract the user while a secondary payload is delivered or executed.

Heuristics 6

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualProtect'
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `c2d076a6e609a8b33579240c4c97ddb741702fb224c691665176231441d0ac2f`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	17509 bytes
`macros.bas` `ef88e2cb7c6cf64dda4750a118f71b844084384997d163fd51556cb0b169c349`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27433 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 30 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.