Office (OLE) / .XLSX malware analysis — malicious · 6b9d0ba9a21c0c30

MALICIOUS

Office (OLE) / .XLSX

175.0 KB Created: 2008-04-21 08:25:00 Authoring application: Microsoft Excel

MD5: 91e87d1c89e60dba7a14dc7c79dd90c0 SHA-1: d93005c0b230629d4788b1de7c445b373e787db6 SHA-256: 6b9d0ba9a21c0c3010e371642ad039051e0af1651bd6a2b437a91ebe9ab97aca

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 macro sheet with an Auto_Open defined name, which allows for automatic execution when the workbook is opened. The macro sheet itself is heavily obfuscated, preventing a deeper analysis of its specific actions, but the Auto_Open entry strongly suggests a malicious intent to run code. No URLs or other IOCs were extracted.

Heuristics 2

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `0febf47f8cd596d62dff2511b7abe9dafe6e887bf1a8a4bc7db76d30f35bcca2`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	91844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.