Office (OLE) / .XLS malware analysis — malicious · 7ad4f317592fa8c0

MALICIOUS

Office (OLE) / .XLS

35.5 KB Created: 2021-02-16 08:14:40 Authoring application: Microsoft Excel

MD5: fd677b62ee20fe7313d3ba6fea65ec5a SHA-1: 8d846c934c3a424201c37c3a2cd3e5dfae88c0a8 SHA-256: 7ad4f317592fa8c049fb35cea9b057beb6dff45012810cc02cd0967cecbcc5df

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains Excel 4.0 macros, specifically an Auto_Open entry, which is a known technique for executing malicious code upon opening the workbook. The macro code appears to be heavily obfuscated, but it contains numerous long strings that are likely encoded data or URLs. These strings are the primary indicators of malicious activity, suggesting the macro is designed to download and execute a second-stage payload. The presence of the Auto_Open macro and the obfuscated strings strongly indicate a malicious intent.

Heuristics 2

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `5866fb6c971a7384352afc6ae40cc8f2cc5beb08047ad184803130dd9a095905`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	16003 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.