Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 7ab87d1c51c5d86c…

MALICIOUS

Office (OLE) / .XLSX

31.0 KB Created: 2021-01-20 13:23:23 Authoring application: Microsoft Excel
MD5: efde2b9dbc58314c0a29673f29ced09f SHA-1: fa44488bdf4831a04399854b0e61dc1ab9713c40 SHA-256: 7ab87d1c51c5d86cc0ea33d5d44e2a7896ee3fdb5ac86c905b7603d35df51f7e
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a known technique for executing malicious code upon opening the workbook. The presence of dangerous formula APIs further indicates malicious intent. No specific family could be identified from the available evidence.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
6de8f6f05c8ed3fe3cb9f5f59142c035d4aa0fef069c912fb2ffc2a4954123ef		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3563 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.