Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 8a2491dc3b77a2b3…

MALICIOUS

Office (OLE) / .XLSX

32.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 38b4873e342c9d1b20d28e9aa0edcc13 SHA-1: 39982796a75e649f68e1060853dd8221e51f0875 SHA-256: 8a2491dc3b77a2b38d08d9722ae1bc7ebb412b5e2df012dadf4cc89e9a412dde
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous formula APIs like RUN. This indicates an attempt to execute arbitrary code. The presence of an embedded URL suggests the macro is intended to download and execute a second-stage payload. The heuristic 'SE_ENABLE_LURE' further supports this by indicating the document likely prompts the user to enable macros.

Heuristics 5

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://188.127.224.100/%f%

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
2be15c634779cf2b3e1484f4136edc55a719f6036cc7272362139fc35b4cd6f1		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 747 bytes
macros.bas
6ef16962a7d1736287e80a5790fa109ca5c76acb8ae2190be54273430dbfbedb		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 371 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.