Office (OLE) / .XLSX malware analysis — malicious · 262d07394e7bd69f

MALICIOUS

Office (OLE) / .XLSX

251.0 KB Created: 2020-05-27 10:34:36 Authoring application: Microsoft Excel

MD5: ccccd3b34757ea64ece4b759ca7f3b0c SHA-1: edceab98c49f053c8dfec14ccb0b9415ccb45c80 SHA-256: 262d07394e7bd69f01dd7c0dc45c05dadd0cb4d108249bb1a7c1c9f768bdab97

140 Risk Score

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Obfuscated XLM Auto_Open execution chain critical OLE_XLM_OBFUSCATED_AUTOEXEC_CHAIN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and an obfuscated formula execution chain. The macro builds strings through FORMULA(CHAR(...)), primes state with SET.VALUE / GET.CELL / GOTO, and transfers control through RUN(). This is a high-confidence XLM malware pattern.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `f59f096221729249e8e2b9917b6d211f3ff8e785dc71d53ccbcd7ba2ce9485d5`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	125795 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.