Office (OLE) / .XLS malware analysis — malicious · 4278d8ceafca37b0

MALICIOUS

Office (OLE) / .XLS

3.99 MB Created: 2010-05-30 01:50:50 Authoring application: Microsoft Excel

MD5: 18a8361e174e87e148cfde92de56adf3 SHA-1: e93380bbd6056020c5c0ae553e6e21b36391a350 SHA-256: 4278d8ceafca37b0ec2bca835640a038d38b65d94536f51fc6291721eaea26bb

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file contains legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristics. These macros are designed to execute automatically upon opening the document. The embedded URLs suggest that the macro's primary function is to download and execute a second-stage payload from the specified IP address.

Heuristics 3

Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://150.1.154.4/My
- http://150.1.154.4/WINDOWS\TEMP\ME-08-P.xls

Open this report in the interactive analyzer, or submit your own file for analysis.