Office (OLE) / .XLS malware analysis — malicious · 8b63c2632e61ca6f

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2020-12-11 12:11:04 Authoring application: Microsoft Excel

MD5: 3f9657c9a8550cf48b010bb2d3dae618 SHA-1: 7e198b623883ed7b2e162e3b7c51894e7f393d05 SHA-256: 8b63c2632e61ca6f922860afc6f451cea59941553482d75facdb6730e2fbd82f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file contains an Excel 4.0 macro sheet with obfuscated defined names, indicating a malicious intent to execute code upon opening. The document body presents a fake invoice with a prompt to 'Press button to receive invoice', suggesting a social engineering lure. The obfuscated macro chain likely attempts to download and execute a secondary payload, though the specific mechanism is not fully discernible from the truncated script data.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `62035414869e84564c16fbaecee559e867423f299d35f44af78c87e274c0f503`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.