Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f9da8134eece8b2…

MALICIOUS

Office (OLE)

39.0 KB Created: 2020-04-15 06:58:50 Authoring application: Microsoft Excel
MD5: a2ab06deeee2279099a3138c36901d92 SHA-1: d59a7506323019567a4f9cac0066da6c7d585d0c SHA-256: 5f9da8134eece8b25f6d4da2815d49cc1ea7a5e9d2b18cec549a1ee47010c394
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains both VBA and Excel 4.0 macros, with a critical heuristic indicating that a VBA ActiveX event triggers a decoded Excel 4.0 macro. This macro uses SEND.KEYS to execute a PowerShell command, which is heavily obfuscated and likely downloads a second-stage payload. The presence of PowerShell execution and the ClamAV detection strongly suggest a dropper functionality.

Heuristics 7

  • VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER
    The compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
  • ClamAV: Xls.Dropper.Agent-7667955-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7667955-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
820cb8b428caefa499dbdff2fe1d389804ae026ef3c5d9141364f4ba73c78f4f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3061 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 long base64-like blob(s).
macros.bas
444a06ec09cc37d1c706f37bcfb855bee159d5dd3aadd474eb18e65e1bcc8657		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 866 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.