Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 82294b5534f7394c…

MALICIOUS

Office (OLE) / .XLSX

329.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: c27e16aa108aee8faf502810f41af5b4 SHA-1: 9eb517049f70806ebddda4c1e3187443fdbf4b62 SHA-256: 82294b5534f7394c35829a0b85dffd19c4dfd094f5e8bbd021bc104bd212a7c1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.004 Scripting - Microsoft JScript T1059.001 PowerShell T1059.003 Windows Command Shell

The presence of Excel 4.0 macros, specifically an Auto_Open macro utilizing dangerous functions like RUN, strongly suggests malicious intent. The heuristic firing for ShellExecute API further indicates that the macro is designed to execute external commands. The embedded URL likely serves as a distribution point for a secondary payload, aligning with downloader malware behavior. The ClamAV detection name 'Doc.Downloader.Docusign0521-9864805-0' also supports this assessment.

Heuristics 5

  • ClamAV: Doc.Downloader.Docusign0521-9864805-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Docusign0521-9864805-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://uaeub.com/ds/161120.gif�

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
c7e4e7ed3c1ce4a0357cad7ea2d4765567912ff9637c55ef23ac64833b3a62a6		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6274 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.