Office (OLE) / .XLS malware analysis — malicious · 3c49c260cbf245b4

MALICIOUS

Office (OLE) / .XLS

367.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 0570e44dd2c0e54f48194d7e48904f6e SHA-1: 570d33b9760d62f5662ee351f45d16315b1a4726 SHA-256: 3c49c260cbf245b4e64d748aaa898072016d428581e6ecc14a927595be625e85

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a strong indicator of malicious intent. The presence of a macro-enable lure further supports this, as it's a common technique to bypass security warnings. The embedded URLs likely serve as download locations for secondary payloads. The macro sheet is too large to fully analyze for specific actions, but the overall pattern suggests a downloader.

Heuristics 4

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
URL https://smartpalakatva.com/edQsUZOLlE/th.html
- https://pilstlcommodities.com/Ov4FlB3lpy/th.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `e61304013e31eadd8bf35fc5d3e6cbadd61463966f2a2d09ae24f65eb0ee3106`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	8349 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.