Office (OLE) / .XLS malware analysis — malicious · 654a8c3c3e62d7ff

MALICIOUS

Office (OLE) / .XLS

5.75 MB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 4d036665b30962d76b020a9c6ccab45d SHA-1: b83d37db988fd6be62928f9cb4ee332a662f3ac7 SHA-256: 654a8c3c3e62d7ffdf27ca9bb778640fa816d33565e4fe0bf5d78e7cb389c6e6

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristic firings. The presence of these legacy macros suggests an attempt to execute arbitrary code upon opening the document. While VBA macros were present, they contained no executable statements, indicating the primary malicious activity is likely within the XLM macros. The document body contains what appears to be product part numbers and descriptions, possibly used as a lure.

Heuristics 3

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `450b101f38061284b766728ba9dfa0da74277339c51949e4080f12a1f34bdb88`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2438 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.