Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7bd3771105173879…

MALICIOUS

Office (OLE) / .XLS

1.49 MB Created: 2009-04-15 07:28:19 Authoring application: Microsoft Excel
MD5: 29a3072a8326241b9f9c026ac056d45a SHA-1: 86162ad687bfb459afd835dd4448b402733c5575 SHA-256: 7bd37711051738798831d7936ae531a8270d990eb327c36e79d30a5e63f3d1ed
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains critical heuristics indicating the presence of Excel 4.0 (XLM) macros, specifically an Auto_Open entry and the use of dangerous functions such as RUN. These macros are known to be used for executing arbitrary code, often to download and run additional malicious payloads. The presence of 'XL4Poppy' in the document body and as a sheet name suggests a potential identifier for this malware.

Heuristics 5

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
5d1e1457982e266f72b893c5a68274fa3092ddc9ff7a4e32c5c231524ef4e0c4		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1134142 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.