Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9222fa51849095d5…

MALICIOUS

Office (OLE) / .XLS

59.0 KB Created: 2020-04-27 23:19:44 Authoring application: Microsoft Excel
MD5: 989e7304cef687c4745818ecf716d787 SHA-1: a1d29edd2641e4f3dfc46534b4dea686460e4d27 SHA-256: 9222fa51849095d524cc7cd7f9c059698795b6eb77b6128e9b2e3daa5d11ab8e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is an Excel 4.0 macro sheet that is encrypted, as indicated by the OLE_XLM_ENCRYPTED_MACROSHEET heuristic. The presence of an OLE_XLM_AUTOOPEN heuristic further suggests that the macro sheet is designed to execute automatically upon opening. Due to the encrypted nature of the macro sheet, the specific actions it performs cannot be determined, but it is highly likely to be a downloader or initial execution stage for further malicious activity.

Heuristics 2

  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.