Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2b42860dedf34586…

MALICIOUS

Office (OLE) / .XLS

4.08 MB Created: 2006-02-20 20:11:09 Authoring application: Microsoft Excel
MD5: 673c71dba2c8fe763f674ce9da77b3e3 SHA-1: a6e7f848c6b61306fad7b74fbb10c4d2f9603711 SHA-256: 2b42860dedf34586c93fbbcf7b464074882e6b818b3d33df1de65ff66f50d3fd
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing a large VBA macro, indicated by the OLE_VBA_MACROS and OLE_VBA_AUTO heuristic firings. The Auto_Open macro suggests immediate execution upon opening. The VBA Chr string obfuscation heuristic further points to malicious intent. While no specific URLs or executable payloads were extracted, the presence of obfuscated VBA macros strongly suggests the file is designed to download and execute a secondary payload, likely for financial fraud given the document content related to financial data and market analysis.

Heuristics 4

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.iec.ch
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
788f5a003c344242e354698cb3c345ccb798e3a32ee6c9da883d4d2fabc0cd9d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 515915 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 323 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.