Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9592dc8230acdc35…

MALICIOUS

Office (OLE) / .XLS

67.5 KB Created: 2020-09-20 21:17:44
MD5: ae3bf0939a390d7c38a765a23690f54d SHA-1: 27381985e1da4c9faeb994085b34e199da62d3fb SHA-256: 9592dc8230acdc35ba7994a1e0ac1c9cdde915195501cf8ebf89ce3d3b7b61e6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications

The sample is an Excel 4.0 spreadsheet containing an Auto_Open macro. This macro utilizes dangerous functions, specifically the RUN function, indicating an intent to execute arbitrary code. While an embedded URL was found, it was flagged as confirmed benign, and no other IOCs were extracted.

Heuristics 3

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tinyurl.com/y44j7jgj

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
97175c2246319641a5f3dbd167641b4a56718dd5005c938f8c39c8062cb1708b		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1549 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.