Office (OLE) / .XLS malware analysis — malicious · 8ef93d8d9a543384

MALICIOUS

Office (OLE) / .XLS

818.0 KB Created: 2006-11-29 14:10:37 Authoring application: Microsoft Excel

MD5: 91f19d455e4ab9904d10a60050a459cd SHA-1: c4461800bd6f216182bd1c4ca8e7f2e82817f23e SHA-256: 8ef93d8d9a543384f0730d45b91a7d8692a3ac283a11112db237c51294ca4390

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel spreadsheet containing VBA macros, indicated by the OLE_VBA_MACROS heuristic. The OLE_VBA_CREATEOBJ heuristic suggests the macros attempt to execute code. The presence of 'macros.bas' and the document body content discussing financial reporting and data integration implies a lure to enable macros. The macros likely download and execute a second-stage payload, though the specific mechanism is not detailed in the provided evidence.

Heuristics 4

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://activex.microsoft.com/controls/vb6/mscomct2.cab

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `f92a97aa9513f113c70841740feb7398b3eb56bf89154a94009e20a3fb4cbf0e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	78569 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.