Office (OLE) / .XLS malware analysis — malicious · 5ff1c2eb1de3a762

MALICIOUS

Office (OLE) / .XLS

1.13 MB Created: 2000-05-26 16:45:09 Authoring application: Microsoft Excel

MD5: 796230e82d9d1fb7b49bf66767274b58 SHA-1: 6a36ac61f770deaf01fd19debb8d15449c98f770 SHA-256: 5ff1c2eb1de3a7624fc68a1cfb9e963b2e571dc1b248ec12d670131e1916ca0c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing both VBA macros and Excel 4.0 (XLM) macros, which are commonly used to deliver malware. The presence of these macro types, combined with the critical ClamAV detection, strongly suggests the file is malicious and intended to execute arbitrary code. The XLM macro sheet marker and the VBA code indicate the potential for a macro-based downloader or dropper.

Heuristics 3

ClamAV: Xls.Malware.Generic-6680536-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Generic-6680536-0
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `6486e3cc6b760bfccf387a5b2b8b93309e8446db40fff8d1eb95c275f60b565c`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	944840 bytes
`macros.bas` `826095c4e834a1dcdb83e97f6cf9ba82475eae1863b99ffbefb831a23c5d1c6b`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9042 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.