Office (OLE) / .DOC malware analysis — malicious · a1a8b1f6ca8b52f0

MALICIOUS

Office (OLE) / .DOC

241.0 KB Created: 2020-04-17 06:37:08 Authoring application: Microsoft Excel

MD5: 82ed88e453f8e2827b12c8832bdc9c2d SHA-1: 7636d7154d82eb544982be2a68cc5d941bc5529b SHA-256: a1a8b1f6ca8b52f0adf5f7f9c48a9fa34b672b88b3d2daa4f3aae09622cc2679

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel 4.0 macro sheet (XLM) that contains an Auto_Open macro. This macro uses dangerous formula APIs, specifically the RUN function, indicating an attempt to execute arbitrary code. While no specific URLs or scripts were extracted, the presence of the Auto_Open macro and the use of the RUN function strongly suggest a malicious intent to download and execute a secondary payload.

Heuristics 3

XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.microsoft.com/photo/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `17182eefb54e8bb836fd901ab8c1fd4493092fcea5b82ff82facf480be2a3754`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	140278 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.