Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 853ba2c7ccf4deb4…

MALICIOUS

Office (OLE) / .XLSX

213.0 KB Created: 2020-06-24 17:08:55 Authoring application: Microsoft Excel
MD5: 58db9bb4abf52a8011ac8afff70c7f23 SHA-1: fe8a3adc14c257f6207f608ced1c749aa4b058e7 SHA-256: 853ba2c7ccf4deb46ef2f1030e2cd9b3e109b10d329bb18bd9a0c63ce10e3cda
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file contains critical heuristics indicating the presence of Excel 4.0 (XLM) macros, including an Auto_Open entry and environment evasion techniques. While VBA macros are also detected, the primary threat appears to stem from the older XLM macro functionality. The specific actions of the XLM macro are not fully detailed in the provided evidence, but its presence and evasion tactics suggest a malicious intent, likely to download and execute a secondary payload or perform other harmful actions.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open environment-evasion close gate critical OLE_XLM_ENVIRONMENT_EVASION_CLOSE
    Excel 4.0 macro sheet auto-executes environment checks with GET.WORKSPACE / GET.WINDOW, then shows a fake corruption/error message and closes the workbook when the host fails those checks. This is a malware sandbox-evasion pattern, even when the later payload stage is hidden behind obfuscated defined-name flow.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
ccc006a3c01849bf27588e435d0055eab8d3ab2bd77fdcf8cccfb378801c3b46		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 73899 bytes
macros.bas
be23b65a6fa29680599137f837eec0639785801749f6f7877198f0531b8d3b52		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 717 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.