Office (OLE) / .XLS malware analysis — malicious · 582e03fefa4da38e

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2020-12-11 13:20:49 Authoring application: Microsoft Excel

MD5: fa730cda3f89abe0b0bad1672aac82be SHA-1: 796fba4acf98296a252a7b467a0c2ad98a5cdaa5 SHA-256: 582e03fefa4da38ecedd2afc3625ed152f98854c986d95ca9b0aca8b7a3d260f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an Excel 4.0 (XLM) macro sheet, indicated by the OLE_XLM_AUTOOPEN heuristic. The OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN heuristic suggests the macros are intentionally obfuscated. The document body presents a fake invoice and prompts the user to 'Press button to receive invoice', which is a common lure for macro-enabled documents. No specific URLs or executable payloads were extracted, but the presence of obfuscated XLM macros strongly suggests malicious intent, likely to download and execute a second-stage payload.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `97add40d67d436692687e63b4e291463d453f7b41c8577a82d595bc6be4b03be`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3643 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.