Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 516aab6c290c14fe…

MALICIOUS

Office (OLE)

58.5 KB Created: 2020-05-18 00:14:53 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: a49064aedd3217e745c811e94e9bd1c2 SHA-1: b94373bb2faa0e6c05a3067d3f1d623effa73cef SHA-256: 516aab6c290c14fe83330eaf84959108c111fdda822c39e0cdbf26411ced37a9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing an encrypted Excel 4.0 macro sheet, indicated by the OLE_XLM_ENCRYPTED_MACROSHEET heuristic. This suggests the file is designed to execute malicious macros when opened. The presence of an AUTOOPEN macro further supports this, indicating an attempt to automatically run code. No specific family could be identified.

Heuristics 2

  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.