Office (OLE) / .XLS malware analysis — malicious · a6451d1343b8a2ce

MALICIOUS

Office (OLE) / .XLS

380.5 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel

MD5: 627c04751764b1ea91257b6085f0839a SHA-1: 75336c047ac928b0faf230976cfa84407c4f9ae2 SHA-256: a6451d1343b8a2ce383a8d20fe70d291af0ea970d6062741acbbf642ae15bbc0

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The critical heuristic OLE_XLM_AUTOOPEN_DEFINEDNAME indicates the presence of Excel 4.0 macros with an Auto_Open entry, which is designed to execute automatically upon opening the workbook. The SE_ENABLE_LURE heuristic confirms that the document contains content designed to trick the user into enabling these macros. The extracted URLs and script fragments suggest the macro's purpose is to download and execute a second-stage payload. The macro code includes calls to `FileLoadT`, `FileDownloadT`, and `Regi`ster, indicating a download and execution chain.

Heuristics 4

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
URL https://hermescomm.net/x9NvrhL0/lena.html
- https://asistenciajuridicaintegral.com/6YiCkNix5/lena.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `be629cb484f8d82e38c4234ddbad4f1755e762b9c1c8359642d99f8c77e6e858`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	8812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.