Office (OLE) / .XLS malware analysis — malicious · 6c9cd21f4515714e

MALICIOUS

Office (OLE) / .XLS

759.5 KB Created: 2010-02-23 04:12:47 Authoring application: Microsoft Excel

MD5: c09a0b42897602f3b54bf3a16770548a SHA-1: dce8141e946bfcad9ce2a8b24bac78a0a8e63806 SHA-256: 6c9cd21f4515714ee85dbd8a0fdf59f4cd7c099d2a1a0da5b1acffa7838448c3

248 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing Excel 4.0 (XLM) macros, specifically triggering an Auto_Open function. Heuristics indicate the use of dangerous API functions like RUN, and markers suggest it belongs to a legacy macro-virus family. While VBA macros are present, they contain no executable statements, indicating the primary malicious activity is within the XLM macros. The document body contains what appears to be a list of software and hardware entities, likely a lure to disguise the malicious macro functionality.

Heuristics 5

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `ad56310d1fddb0ee0add4716674675408c7fc44fa7ec0bb60a715e43675c7b56`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	169296 bytes
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.