Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 33775999dd0fd5b3…

MALICIOUS

Office (OLE) / .XLS

2.23 MB Created: 2007-03-15 01:22:47 Authoring application: Microsoft Excel
MD5: 4f19026ebda173867b520235b4d4563d SHA-1: 7a49f6f9ac0bf16ed616cd8e538b6226dca178a1 SHA-256: 33775999dd0fd5b33ee97df70151733ef6bb8d158fe35f51f2b920613fcc025a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet (XLS) with critical heuristics indicating it contains a legacy XLM macro-virus family marker and a high severity heuristic for an Auto_Open macro. While the document body contains what appears to be financial or administrative data, the presence of these legacy macro indicators strongly suggests malicious intent. No specific IOCs like URLs or hashes were extracted, but the file's structure and heuristic firings point to a classic macro-based threat.

Heuristics 4

  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
674cc9d6f85c1954c79d0b3836b984ec20d207a1855c70709901a67948b7145a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2221 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.