Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6b40406304c4cdec…

MALICIOUS

Office (OLE) / .XLS

1002.0 KB Created: 2010-08-18 15:51:18
MD5: b88c9f9b787eb87da24f7ce33005a1f0 SHA-1: 45ab072b286b4654cb3cc6c9dd6db30fd307e0fc SHA-256: 6b40406304c4cdec8050b98a9b13bf4dd115c1b0e4b18ec9f313417a3321ed70
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN heuristic. These macros are known to be capable of executing arbitrary code, and the presence of NOP sleds and GetPC stubs suggests shellcode execution. The macro sheet itself is hidden, a common tactic for obfuscation. The primary function appears to be executing a payload, likely downloaded from an external source, though no specific download URLs were extracted.

Heuristics 3

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ECX)
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
c2d076a6e609a8b33579240c4c97ddb741702fb224c691665176231441d0ac2f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 17509 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.