Office (OLE) / .XLS malware analysis — malicious · 7bb7de3215d3e8a9

MALICIOUS

Office (OLE) / .XLS

51.0 KB Created: 2020-11-11 12:15:34 Authoring application: Microsoft Excel

MD5: e696a3e6497ced315b344d6ab1aa6c5f SHA-1: 66c6efb7cc4b48bd6e4a14d9edae16bb7e21ffd0 SHA-256: 7bb7de3215d3e8a98b95fee746692f710b91da494b80bc7fe73636875dc610b7

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that VBA macros are used to launch decoded Excel4 macros. This suggests the file is designed to execute arbitrary code, likely by downloading a secondary payload. The presence of VBA macros and the specific stager technique point towards a downloader or droppper functionality. No specific family could be identified.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7e99c2a39ec508a2e6984dd3d7b9e112bee0e64b472ffcc4ab0030c156f61a0d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2073 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.