Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 54606ac2e5fc50df…

MALICIOUS

Office (OLE) / .XLS

109.5 KB Created: 2006-09-13 11:21:51 Authoring application: Microsoft Excel
MD5: 860591abfa1a5b150f44d87f9ff30ee6 SHA-1: 0f12e06011effae2a7f2c0dd4ce14e6b9be2ed11 SHA-256: 54606ac2e5fc50dfdb20e6fd5a15daa9ff8098eaf20c8519d2913b9510d99d6b
68 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking

The critical heuristic firing indicates an embedded Adobe Flash (SWF) file within the OLE document. While the VBA project itself contains no executable statements, the presence of the SWF is a strong indicator of malicious intent, likely for delivering a secondary exploit or payload. The embedded URL was confirmed benign and is not considered a primary IOC.

Heuristics 3

  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
56845bb35fdf791b2d2b0ce90d464da9f81eef6f5c9562346451e8a85cc26aca		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 987 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.