Office (OLE) / .XLS malware analysis — malicious · 8b73752a250c008b

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2021-01-19 10:51:22 Authoring application: Microsoft Excel

MD5: 3591657e370f0718bdc7d2b4d753fa39 SHA-1: cbefc532f9d624980c803b5f318fb1f10eaba0dd SHA-256: 8b73752a250c008beb3a7fe62eaf5b979c371722996081dd7276dc84fb5a213b

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file is an Excel 4.0 (XLM) macro-enabled spreadsheet. Heuristics indicate obfuscated macro chains, suggesting malicious intent. The document body presents a fake invoice, prompting the user to enable content to view it, which is a common social engineering tactic for macro-based malware delivery. No specific IOCs like URLs or hashes were extracted from the macro itself.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `843f14a03ca7a773d47e4963f3f52f3cc8d1618a49dd77193bb4d1ddec23c2c6`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.