Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 91f07d3af97ccccd…

MALICIOUS

Office (OLE) / .XLS

11.5 KB Created: 2026-02-07 23:10:16 Authoring application: Microsoft Excel
MD5: 25f4b7b6f47220db93a665fe0c84998f SHA-1: 7b61896d7814f3f921fb40a644da50f20c8c9714 SHA-256: 91f07d3af97ccccd5fc9c485c9ac58334bdb0da2ed732403de066f0486f1f70e
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Excel 4.0 macro sheet that is encrypted, a common technique for obfuscating malicious content. The presence of SC_STR_WSCRIPT heuristic indicates the potential use of Windows Script Host to execute commands. While no specific document body content or scripts were clearly extracted, the encryption and macro sheet structure strongly suggest an intent to download and execute a secondary payload.

Heuristics 4

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Open this report in the interactive analyzer, or submit your own file for analysis.