Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 a15afa04e1f3e193…

MALICIOUS

Office (OLE) / .XLSX

277.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-09-22
MD5: f4c7ee5276ea898a0812816a98866865 SHA-1: 5896ef3bc1d7fe55fd014d69644aff228937170c SHA-256: a15afa04e1f3e1937512c81cc8f3323192f954b6096cdd1df2ce9d48f52c1635
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample contains an Excel 4.0 macro sheet and instructs the user to enable macros, impersonating a document signing service. The document body contains obfuscated text that reconstructs to a URL and filenames, indicating a likely downloader for a second-stage payload.

Heuristics 3

  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context

Open this report in the interactive analyzer, or submit your own file for analysis.