Office (OLE) / .XLSX malware analysis — malicious · 2adfe5a419267426

MALICIOUS

Office (OLE) / .XLSX

35.5 KB Created: 2020-11-30 12:09:04 Authoring application: Microsoft Excel

MD5: d6d54d05532a0f8f34f80eb112a71980 SHA-1: 083bc4dcba4684996f4ceea84f4eb6b88eeb8e22 SHA-256: 2adfe5a4192674264fd37a80d0d2a8015a7c110cdb43572e0cf32ab021f95b4a

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell

The file contains obfuscated Excel 4.0 macros, indicated by the 'OLE_XLM_OBFUSCATED_SETNAME_CHAIN' heuristic. This suggests the macro is designed to execute arbitrary code, likely to download and run a second-stage payload. The presence of an XLM macro sheet and the obfuscation techniques point towards a malicious intent for initial compromise.

Heuristics 2

Obfuscated XLM SET.NAME macro chain high OLE_XLM_OBFUSCATED_SETNAME_CHAIN

Excel 4.0 macro sheet uses randomized defined names, SET.NAME state, HLOOKUP/COUNTA/VALUE decoding, and NEXT/RETURN/HALT control flow. This matches an obfuscated XLM macro loader shape even when no Auto_Open name is exposed in the recovered source; it is macro malware rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `23694466e39c3d9082bc1377859ffab196b41d176297f06c102b9ab448f6e6f0`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	6431 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.