Office (OLE) / .XLS malware analysis — malicious · 829419a788104ec4

MALICIOUS

Office (OLE) / .XLS

53.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: ef687c6dd0731d96d622ac024974a35b SHA-1: 907be2046fd958898fa14be35f567cbb30e5e8bb SHA-256: 829419a788104ec45e82487738be2779a83cac1b65bfc9343e351e75cfa49f5e

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is an Excel file containing encrypted Excel 4.0 macros and VBA macros. The VBA macro explicitly uses the URLDownloadToFile API to download a payload from a constructed URL. The constructed URL is formed by concatenating strings from cells B60, B61, and B62 of the 'Files' sheet, and the download path is specified by cell B56. This indicates a downloader functionality.

Heuristics 5

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA
Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET

Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `242295942b26c9c64c29487fde86231c68f873cfbaff178d24e4e522ae7a1477`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1725 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.