Office (OLE) / .XLS malware analysis — malicious · 914a2666e863aa31

MALICIOUS

Office (OLE) / .XLS

5.75 MB Created: 2009-04-06 14:34:54 Authoring application: Microsoft Excel

MD5: 7711991146a00d6a70d606929c83b9d0 SHA-1: 8fe78fe0dfc13e9528c88a315314aca3a7bc97b3 SHA-256: 914a2666e863aa31a713a950a59dcb98da216d09819018610433b8724bb3b618

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file is identified as malicious due to the presence of legacy Excel 4.0 (XLM) macros, specifically triggering OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristics. While VBA macros are present, they contain no executable statements. The document body contains what appears to be construction or material cost data, which could serve as a lure. The primary attack vector is the execution of the XLM macro, which is known to be used for initial compromise by various malware families.

Heuristics 3

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9d7ee0a67ce1f5c025fdd2d07b81d11b651a1a5c9883f114d45f89dc095841bd`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4517 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.