Malicious Office (OLE) / .XLM — malware analysis report

Static analysis result for SHA-256 4df7d7c9b4d27626…

MALICIOUS

Office (OLE) / .XLM

567.5 KB Created: 1999-02-24 13:43:46 Authoring application: Microsoft Excel
MD5: dabbd125e6623a032ed99074bfe0c179 SHA-1: edc4e4d61e4bc7833bdbdd7f5fb3f346c5c91267 SHA-256: 4df7d7c9b4d27626653de932602f0bc88cf0325338dff2bf3f661519e061a61a
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an Excel 4.0 macro-enabled file (XLM) that contains both XLM and VBA macros. Critical heuristics indicate the presence of an Auto_Open macro and the use of dangerous XLM functions, including 'RUN'. The VBA macro includes declarations for Windows API functions such as FindWindow, GetWindowLong, and SetWindowLong, suggesting it interacts with the operating system or other applications. The combination of XLM Auto_Open and VBA macros points to a malicious intent, likely to download and execute a secondary payload or perform other harmful actions.

Heuristics 5

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
05c8f44111378e11250f2f80c2b175d503286cb0822836c182ebfc769420a7c3		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 297907 bytes
macros.bas
d131650498f9aae0c90a492978bc5e1590dcb6b472c9f6eb40374afa36c3250a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 27054 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.