Office (OLE) / .XLS malware analysis — malicious · 5f2adacaf4ecb00e

MALICIOUS

Office (OLE) / .XLS

62.5 KB Created: 2021-02-18 08:10:45 Authoring application: Microsoft Excel

MD5: 47e22049644647ee854cedfe077156e7 SHA-1: 20ad9f47616a8272dece2ec1039a88c09412c97c SHA-256: 5f2adacaf4ecb00ed24dd9dfe355307d0d6e786e40c945ad4c6d1ae3a4835d2a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel 4.0 (XLM) macro-enabled spreadsheet. It contains an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The document body presents a deceptive prompt to the user, urging them to enable editing and content, which would trigger the XLM macro execution. The macro itself appears to be obfuscated and contains complex formulas that likely serve to download and execute a secondary payload.

Heuristics 2

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `2f0d358f12b32f717bc2f0417ba8e06795f8c2bde7caefe775537c3a1a5648dc`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	39400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.