Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7689266131f0458c…

MALICIOUS

Office (OLE) / .XLS

53.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 8fea8f4c8a202beda837114d62efee6f SHA-1: 9a06c8a32c8cf3b66ed4bda02a9a583a39106717 SHA-256: 7689266131f0458c616406125182320bc32c175d0b5747c5dbbbf9c0a9b469ae
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an Excel file containing encrypted Excel 4.0 macros and VBA macros. The VBA code explicitly calls the URLDownloadToFile API to download a file from a URL constructed from concatenated strings found in the 'Files' sheet. This indicates a downloader functionality, aiming to retrieve and execute a secondary payload.

Heuristics 5

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
242295942b26c9c64c29487fde86231c68f873cfbaff178d24e4e522ae7a1477		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1725 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.