Office (OLE) / .XLS malware analysis — malicious · a2bcbad7da373581

MALICIOUS

Office (OLE) / .XLS

6.15 MB Created: 2010-05-04 01:01:56 Authoring application: Microsoft Excel

MD5: bc3b3f4e603de4eee752e552dd1341cf SHA-1: a8168107582583dbc2d583e68112db60c7dbadb8 SHA-256: a2bcbad7da3735816742bf4c003c280766dda0af715383c09de8002a4bce8e00

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The file is a legacy Excel 4.0 (XLM) spreadsheet containing Auto_Open macros. The presence of the 'XL4Poppy' marker strongly suggests it belongs to a legacy macro-virus family. The document body contains what appears to be a bill of materials for furniture, likely a lure to disguise the malicious macro functionality.

Heuristics 3

Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://office.microsoft.com

Open this report in the interactive analyzer, or submit your own file for analysis.