Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 281913392b751ca1…

MALICIOUS

Office (OLE) / .XLS

509.0 KB Created: 2009-02-10 20:00:02
MD5: 870b36ee0d2788ba11e608eaed99e816 SHA-1: 8026d145fd4237f0b00e6c7fafb831c95f534489 SHA-256: 281913392b751ca105bdb3bdb589463fc2db55d6e51198193bbba46c3db87ac3
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file is an Excel 4.0 (XLM) macro-enabled spreadsheet. Heuristics indicate the presence of an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The macro uses dangerous formula APIs, including the RUN function, which can be used to execute arbitrary commands. The presence of 'Poppy' and 'Narkotic Network' markers suggests a legacy macro virus. The document body contains what appears to be a list of personnel and educational data, likely a lure to disguise the malicious macro execution.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
1e66d041eca8d8ccbd5d8596b4e7101492eacb5bb47f6cd10c0a5696ef5a7127		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 239715 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.