Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 676e5371b40ea463…

MALICIOUS

Office (OLE)

2.34 MB Created: 2003-05-11 05:06:14 Authoring application: Microsoft Excel
MD5: ef550ce38c9014d3f0c9000a45d38830 SHA-1: 4be5fe380abe8b3632d178bbcab893d425ff32eb SHA-256: 676e5371b40ea463464a4f623038bda984d03d691bc1d97bf4a352a9587228c8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Excel file containing both VBA and XLM macros, with Workbook_Open and Auto_Open macros detected. The document body contains a list of Chinese location names and codes, suggesting a social engineering lure to trick the user into enabling macros. The VBA code manipulates sheet properties and menus, likely to obscure its malicious activity and prevent easy detection or disabling.

Heuristics 4

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
f8188554e0aa196eeb9ea07e49d2900ad3cdf02103954ec764fa2c7f232400dd		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 75369 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.