Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8b5e4908125ec0db…

MALICIOUS

Office (OLE)

2.34 MB Created: 1991-10-10 03:11:32 Authoring application: Microsoft Excel
MD5: e32a1efea199942b73a63b4415b5095f SHA-1: 868cda000ef3fa12316f920c7b659719a3bca2cd SHA-256: 8b5e4908125ec0db0506f28e618fe07049de0f3f6f83dea61a7f6bddccb9ed11
460 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The file is an Excel 4.0 macro sheet with an Auto_Open macro, indicating it's designed to execute code upon opening. The presence of `OLE_XLM_AUTOOPEN`, `OLE_VBA_SHELL`, and `OLE_VBA_PCODE_AUTOEXEC_EXEC` heuristics strongly suggests the macro attempts to run external commands or download additional payloads. The `CVE_2015_0097` heuristic points to a specific vulnerability that might be leveraged. The VBA script itself contains `Workbook_Activate` and `Workbook_SheetActivate` events, which are common triggers for malicious macro execution, and includes calls to `Hq_F_RelaProjType` and `Hq_P_SetMenu` which are indicative of custom malicious logic.

Heuristics 11

  • ADODB.RecordSet — CVE-2015-0097 high CVE likely CVE_2015_0097
    ADODB.RecordSet — CVE-2015-0097
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
321ddf29490633b04b56a0d38d43ddd33770027c9ef90b994ec5b5518617c049		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 161878 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.