Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 38ec4f4a53f77967…

MALICIOUS

Office (OLE) / .XLS

2.93 MB Created: 2009-07-18 01:45:03 Authoring application: Microsoft Excel
MD5: c031af1e739ec3d3d4c399cf15a7ad83 SHA-1: 683fd569080d702fcad1e652a6b69dc9ebba76d0 SHA-256: 38ec4f4a53f77967dbe70dad4c037d83deb5f1643c88139ec3acae1c10dd31da
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is an Excel 4.0 (XLM) macro-enabled spreadsheet. Heuristics indicate the presence of dangerous formula APIs and a legacy Excel formula macro virus marker, suggesting the execution of malicious code. The embedded URLs are likely used to download additional malicious content. The document body content appears to be technical data related to construction materials testing, which serves as a lure.

Heuristics 4

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://saimete.edu.vn/DOCUME~1\CHIHA~1\LOCALS~1\Temp\Mon
    • http://saimete.edu.vn/Tlthg11uyen.xls
    • http://saimete.edu.vn/BAOCAOGO.XLS
    • http://saimete.edu.vn/Tlthg11.xls
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
664627921d78fa5db288bdc2fe74da7c5df1c7d02e91bb11b4bd45279f67e2f4		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 670648 bytes
ole10native_00.bin
682a7e014349d1ebb9e29e7cac5b8d94ef8a37849d74200cda0c2c363b5df950		 ole-package OLE Ole10Native stream: MBD003AC94C/Ole10Native 119460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.