Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 46a861d142338a86…

MALICIOUS

Office (OLE)

383.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2015-10-13
MD5: ee27cf081fbd51d317a286595ef6b680 SHA-1: 6f20005612d48f7b7f61ce501814d961b6b51557 SHA-256: 46a861d142338a8679af515a0a24737f970914c0bb0e9b2689b1c6cb13e2fc05
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristic 'OLE_XLS_FORMULA_MACRO_VIRUS' and the medium heuristic 'OLE_XLM_AUTOOPEN' indicate the presence of legacy Excel 4.0 macros. These macros are known to be used for executing arbitrary code, often to download and run further malicious payloads. The document body contains obfuscated strings and what appear to be macro commands, further supporting this execution vector.

Heuristics 2

  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.