Office (OLE) / .XLS malware analysis — malicious · 81b9da8dd0804f8c

MALICIOUS

Office (OLE) / .XLS

525.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2021-05-29

MD5: 5094b29fa2a544cc0fbf450d758d902d SHA-1: 4c88ae39d040c9568ae050396b9bf7b736e53ef4 SHA-256: 81b9da8dd0804f8cee60ab7bdcaf6159c50b4faf9ca7bda96e745244550d9e3f

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel 4.0 (XLM) macro-enabled workbook that uses an 'enable-content' lure to trick the user into enabling macros. The embedded URLs and the presence of XLM macros suggest it is designed to download and execute a second-stage payload, likely using rundll32.exe.

Heuristics 4

XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LURE

Workbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://aravindanavada.com/AHt5r3T0VSlq/solo.html In document text (OLE body)
- https://mrcrgroup.com/sOyQynNJYBY/solo.htmlIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.