Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 5bb041f9cc26067c…

MALICIOUS

Office (OLE) / .XLS

526.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2021-05-26
MD5: 043eeef5435323fba3356abaa7ea352d SHA-1: fa7234729f990afaf6af7310aaffd5921a56af04 SHA-256: 5bb041f9cc26067ca6ea0772e2b59b9b6a127adc5359522105b9655496bbcdf1
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

This Excel 4.0 macro sheet uses an enable-content lure to trick the user into running macros. The macros contain calls to dangerous functions like CALL and EXEC, and attempt to download files from the provided URLs using rundll32 and regsvr32. The reconstructed URL is "https://digitrac.org/g31Qro72rb4Q/heart.html" and "https://swedish.askochembla.nl/6PNITEcbA/heart.html".

Heuristics 5

  • XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LURE
    Workbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
  • Excel 4.0 (XLM) macro sheet uses dangerous capability functions high OLE_XLM_DANGEROUS_FN_STATIC
    Workbook contains an Excel 4.0 macro sheet whose formulas reference two or more dangerous capability functions (e.g. CALL into a Win32 API such as URLDownloadToFile, EXEC to launch a process, REGISTER an external DLL procedure, or FWRITE/FOPEN to drop a file) with an Auto_Open / Auto_Close auto-execution name. This is the canonical XLM downloader/dropper shape and is recovered directly from the BIFF records, so it fires even when the full macro chain cannot be deobfuscated.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://digitrac.org/g31Qro72rb4Q/heart.html In document text (OLE body)
    • https://swedish.askochembla.nl/6PNITEcbA/heart.htmlIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.