Office (OLE) / .XLS malware analysis — malicious · 46c3c60d2dec1fd8

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2020-12-11 12:11:52 Authoring application: Microsoft Excel

MD5: 370b6c42ef11ad7aa9badc2955a71ecc SHA-1: 66fb6d8c62375081f0fd7eeebe5b05dd0d3e3d47 SHA-256: 46c3c60d2dec1fd8888b955d68494e03c933dcfe48d367fcf0d1306eab595ae0

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel 4.0 macro sheet, indicated by the OLE_XLM_AUTOOPEN heuristic. The presence of obfuscated defined-name chains suggests malicious intent. The document body presents a deceptive invoice lure, prompting the user to press a button, which would likely trigger the embedded XLM macros to execute.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `33aa01bf345374bbfda7333684620de265fdd0fdc65596b651ac67c4309b7d6f`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3437 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.