Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 47d8113a537e43ae…

MALICIOUS

Office (OLE) / .XLS

12.0 KB Created: 2026-03-09 23:23:50 Authoring application: Microsoft Excel
MD5: 6bed869d5ce681ec735e087c84107689 SHA-1: 43ab3faed9eab9412bb7778a32d4f1a3b9917f25 SHA-256: 47d8113a537e43ae6b27862dced3f3ab858c0212841f8c223dfebf00201da3ef
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an encrypted Excel 4.0 macro sheet, indicated by the OLE_XLM_ENCRYPTED_MACROSHEET heuristic. The presence of SC_STR_WSCRIPT suggests that Windows Script Host is likely being leveraged to execute the embedded macro code. The macro sheet is likely used to download and execute a second-stage payload. The document body is heavily corrupted and unreadable, providing no further context.

Heuristics 4

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Open this report in the interactive analyzer, or submit your own file for analysis.