Office (OLE) / .XLS malware analysis — malicious · 8971a92cd8684fb5

MALICIOUS

Office (OLE) / .XLS

192.0 KB Created: 1999-12-24 16:36:33 Authoring application: Microsoft Excel

MD5: 9da10bc0d1b3942b06bca604eecb2b4b SHA-1: 1e41e13226a38e906fd04428d5b1937ea0dd05a6 SHA-256: 8971a92cd8684fb55f0f9808ab53b91216a354cc1894e41ad96485e559453094

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains both VBA and XLM macros, with a Workbook_Open VBA macro detected. The VBA macro appears to initiate a game interface, potentially as a distraction or lure. The presence of obfuscated VBA strings and the detection of XLM macros suggest a multi-stage malicious document. While no direct download or execution URLs were found, the macro structure indicates a high likelihood of malicious intent, possibly for credential harvesting or further payload delivery.

Heuristics 3

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `c2d076a6e609a8b33579240c4c97ddb741702fb224c691665176231441d0ac2f`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	17509 bytes
`macros.bas` `72f4198ed5c04cb04469aa53c24e822fe1eacda99feac3847d48beb94370d5a7`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27327 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.