Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 87091a9f7e6707e1…

MALICIOUS

Office (OLE)

675.5 KB Created: 2020-07-08 08:53:56 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: a232a0a1cae699df3de319912a1d1a43 SHA-1: 964db62119ffd8bf045c4084e58fac9f99e93ded SHA-256: 87091a9f7e6707e1ae49c2e0b8e0f93a7ede8762ff8ffb995c6669528ae6b5da
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file containing an encrypted Excel 4.0 macro sheet, indicated by the OLE_XLM_ENCRYPTED_MACROSHEET heuristic. This suggests the file is designed to run malicious macros. The presence of an OLE_XLM_AUTOOPEN heuristic further supports this, indicating an auto-execution macro. The document body was truncated and unreadable, preventing further analysis of its specific lure.

Heuristics 2

  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.