Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3870ab7d6a11c612…

MALICIOUS

Office (OLE)

36.5 KB Created: 2020-11-27 11:40:43 Authoring application: Microsoft Excel
MD5: 10b3d67afe87e12fb343ad936a486876 SHA-1: fe56b13fdb0152f703db8186baebfc9a5693f2e6 SHA-256: 3870ab7d6a11c61247f00cd8c904fb7254c558ba8a930c4f5e76f2e9b9664e4c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 (XLM) macro sheets with an Auto_Open defined name, indicating an attempt to automatically execute code upon opening. The presence of dangerous formula APIs like RUN further suggests malicious intent. While the exact payload is not clear from the provided evidence, the mechanism points to a macro-based execution of a second-stage payload.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
cb82a5ec790da56ce3635934af83613d7dccc0d574beb32e9157205e67c0a8dc		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.