Office (OLE) / .DOC malware analysis — malicious · 27fc30f07281bbe8

MALICIOUS

Office (OLE) / .DOC

222.0 KB Created: 2020-04-07 08:55:27 Authoring application: Microsoft Excel

MD5: 2196fc14b3c6c00123359324b12fd111 SHA-1: be776a0ae18f85935424c49053eb951e57138b16 SHA-256: 27fc30f07281bbe8e7a8e830f17365e9df37e544ea156e39a181c1b919b8149d

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel document containing Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN heuristic. The OLE_XLM_DANGEROUS_FN heuristic specifically flags the use of dangerous API functions within the Auto_Open macro, including the RUN function, suggesting an intent to execute arbitrary commands. No specific malware family could be identified, and no malicious URLs or scripts were extracted.

Heuristics 3

XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.microsoft.com/photo/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `f9f4d5ec529b5992ac8b2ed23f17f16f60126b15250bae71632669a7f3c0fa82`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	42532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.