Office (OLE) / .XLS malware analysis — suspicious · 7b78b0edcad06c5d

SUSPICIOUS

Office (OLE) / .XLS

2.14 MB Created: 2016-09-09 01:19:58 Authoring application: Microsoft Excel

MD5: 08282b63eba0b9421bb1b23741895c3a SHA-1: 2105172e4ad697972c80d3274a8a292536e94c25 SHA-256: 7b78b0edcad06c5d275c728c5f163ca1b1c2281bfc7bf0512838a58dae0c34ec

40 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing VBA macros, with a Workbook_Open subroutine that triggers the execution of other VBA code. This code is designed to run automatically when the workbook is opened, suggesting an attempt to download and execute a secondary payload. The macro capabilities are present but unconfirmed, leading to a moderate confidence score.

Heuristics 3

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATED

The document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `a664dedfd4bd0cee28d3426652cdd49fb50c37b48ab561674d0dd2af41d0c314`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17498 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.