Office (OLE) / .XLS malware analysis — malicious · 5c5bdbafd1f62769

MALICIOUS

Office (OLE) / .XLS

192.0 KB Created: 1999-12-24 16:36:33 Authoring application: Microsoft Excel

MD5: 44b66a5f4d1acf1bae8efc5ef277f4c3 SHA-1: a503513856af7beb889c2f2c632cd11ef134f12f SHA-256: 5c5bdbafd1f62769f542bc18fa9e80a2683cbe84c473bb08e71e3037fad5e8d5

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains both VBA and Excel 4.0 macros, with a Workbook_Open event triggering the execution of the Excel 4.0 macros. The presence of an embedded URL suggests the intent is to download and execute a secondary payload, likely a Windows executable. The specific macro logic appears to be related to a game interface, but the primary malicious function is the payload download.

Heuristics 4

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ccwater.com/dvd/d.exe�

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `1e2146545f848881b6974ace600b15cc6a57bb6c0dbcce63506efaed6758b4fd`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	17500 bytes
`macros.bas` `4f20ba194974de741021461a615367ae108d6239dda75d8a62f9cad6cfac3ff0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27327 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.