Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6c620b9c3f62f9d5…

MALICIOUS

Office (OLE)

35.5 KB Created: 2020-11-25 10:44:44 Authoring application: Microsoft Excel
MD5: 268bfa040d46ffc19e1372ac48899c4f SHA-1: b50c11d5ae7e80cd6e26fe6d3229e92b435a90ad SHA-256: 6c620b9c3f62f9d585d1f8336a8927465daabd6ed9872aaaf754eb18061409f9
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains Excel 4.0 macros, specifically an Auto_Open function, which is a known method for executing malicious code. The presence of dangerous formula APIs like RUN indicates the macro is designed to execute arbitrary commands. The obfuscated document body and the nature of XLM macros suggest a downloader or initial execution stage.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
fd711e14d969416e330d7b6a35f2f68e1551aaf8f01d841ffcdd40d3d10cfe16		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6543 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.