Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 50cd588eb23ce5fb…

MALICIOUS

Office (OLE) / .XLS

1.48 MB Created: 2009-06-21 07:00:11 Authoring application: Microsoft Excel
MD5: 0fa74aca364fe900d05b8f042628924c SHA-1: fa44120146e9014e8ab4d5304bdc29aa8256d156 SHA-256: 50cd588eb23ce5fb5638cac0a9861bc971c3550679d49c6d80c46197534ebb6b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell

The sample is an Excel 4.0 (XLM) spreadsheet containing legacy macro-virus markers, indicating malicious intent. The document body discusses business processes and technical improvements, likely serving as a lure. The presence of embedded URLs suggests a delivery mechanism for further malicious payloads or phishing content. No scripts were extracted from this sample, but the XLM macro sheet itself is the primary vector.

Heuristics 3

  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.viettel.com.vn/Setup\Tam_Backup\Book1.xls
    • http://mail.viettel.com.vn/3.6\Documents
    • http://mail.viettel.com.vn/My

Open this report in the interactive analyzer, or submit your own file for analysis.