Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 89dac51b6bb92931…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:47:39 Authoring application: Microsoft Excel
MD5: 2e8475682ca31d87e59b4592b694bfaa SHA-1: a4edf8e7ee8bc8fe4532e33c4213f38ffa2f3fb1 SHA-256: 89dac51b6bb92931c7fc8594e552d62fab7c837fc97dd5df76002efa31bfe153
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel 4.0 macro sheet that contains an Auto_Open defined name, indicating that it will automatically execute when the workbook is opened. Heuristics indicate the use of dangerous formula APIs within the macro, suggesting it is designed to perform malicious actions. No specific URLs or hashes were extracted, but the presence of XLM macros is a strong indicator of malicious intent.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
6df45fc64595a9a16f74fbb66a36470ad0f082a43bfabb1d027277d9e348f307		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.