Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 548ba5226f9d7423…

MALICIOUS

Office (OLE)

144.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2014-10-12
MD5: 80abdb3a255371e9e6c418b178d32f10 SHA-1: 5c72b90213475b82262e281429926e671188172a SHA-256: 548ba5226f9d742338be396b4255f5614e96c8720804bf57dec3872e10f98934
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. It contains Excel 4.0 macros, specifically an AutoOpen macro, which is a common technique for executing malicious code upon opening the document. While VBA macros were present, they contained no executable statements, suggesting the primary malicious activity is driven by the XLM macro.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 147,456 bytes but its declared streams total only 72,852 bytes — 74,604 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 900 bytes
SHA-256: 8acdb8dc834ddee2d36ddc2aa6de4510d3b545b2d6a1ebd31c70b77e83fcf0f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True