Office (OLE) / .XLS malware analysis — malicious · 5bf8d753c324067c

MALICIOUS

Office (OLE) / .XLS

37.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 25d4fc7e021dba3408047db18d0ad017 SHA-1: a4a65411b3bc5a3177fd4bb1979e7411e3bdb27f SHA-256: 5bf8d753c324067c38ff0f1b6f063f95e221393e402f11dad35d4a0956dae6c9

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an Excel file containing VBA macros, specifically an Auto_Open macro. This macro attempts to copy itself to the Excel startup directory as 'StartUp.xls', which is a persistence mechanism. The script also includes routines to hide its presence and evade detection by deleting sheets and closing workbooks. The presence of an Auto_Open macro and the copying behavior strongly suggest malicious intent.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 38,400 bytes but its declared streams total only 19,940 bytes — 18,460 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `b35f884f1ab3c6e6c1dbe2d6db716dba0e1ebba6f7c888a0fd88da628484a892`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.