Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6d1d04820f91ac20…

MALICIOUS

Office (OLE) / .XLS

3.09 MB Created: 2007-10-15 02:59:00 Authoring application: Microsoft Excel
MD5: 4fd6788419389b6e0575adfd54391aa9 SHA-1: 2ba0babd050413a94233ce6e64d5a505edbe667c SHA-256: 6d1d04820f91ac20677c66a0c3dee0fdfaa72007c5fec06ddbdd0df0469b251a
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel 4.0 (XLM) macro-enabled workbook. Heuristics indicate the presence of an Auto_Open macro designed to execute a payload. The embedded URLs are likely used to download and execute a second-stage payload. The document body content appears to be a list of user-related data, likely a lure to encourage macro execution.

Heuristics 5

  • XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LURE
    Workbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.22/TANHOP
    • http://192.168.1.22/Documents
    • http://192.168.1.22/BCAO_VNM

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7319dee50016b1beec466b20bb83e21fbf60bf393a15ad521f5b0d2d5bf47ae4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1561 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.