Office (OLE) / .XLS malware analysis — malicious · 9b99c699c381aee4

MALICIOUS

Office (OLE) / .XLS

50.5 KB Created: 2020-11-09 12:10:54

MD5: d80bd52838a72d155143fef947b86917 SHA-1: 3d5e3afb5c27cb878c46e12afa85748fe09b9e61 SHA-256: 9b99c699c381aee420dc3e57f5b2b6cff38cbd760448167eeb7ba16d56b77811

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell

The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that VBA macros are used to launch decoded Excel4 macros. The VBA script itself contains obfuscated code that appears to decode and execute further commands. While the exact payload is not directly visible, this technique is commonly used to download and execute additional malicious content. The DOC BODY content is heavily obfuscated and does not provide clear user-facing text, suggesting it's not a typical lure document.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `49b498cd052a62a4ccb363eb2dcd418ee5af18c9c14512069989e330208f2d13`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1886 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.