Office (OLE) / .XLS malware analysis — malicious · 8afa01379ac2291e

MALICIOUS

Office (OLE) / .XLS

313.0 KB Created: 2021-02-03 15:28:44 Authoring application: Microsoft Excel First seen: 2022-11-01

MD5: f5d4fc13827a2f286ff1c5e19a7591e3 SHA-1: 327505f27002dcb9ee6733307acde8b192c3139a SHA-256: 8afa01379ac2291efeaa1f4e260d24f97e6d00141732c1f2b04a7c1f157d8226

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic T1059.001 PowerShell

The file is an encrypted Excel 4.0 macro sheet, which is a strong indicator of malicious intent. The heuristic 'SE_DOCUSIGN_LURE' suggests it impersonates a document signing service to trick users. No executable scripts or network indicators were found, but the presence of an encrypted macro sheet and the impersonation lure point to a downloader or initial access attempt.

Heuristics 4

Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET

Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Document signing service impersonation lure medium SE_DOCUSIGN_LURE

Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `544daaabe44d28a0d90032cc3a030b8ea0c58bb49ed123e4b89277098cd2b245`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	726 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.