Office (OLE) / .XLS malware analysis — malicious · add0f7b8b4e8c0de

MALICIOUS

Office (OLE) / .XLS

1.06 MB Created: 2010-08-24 10:03:57 Authoring application: Microsoft Excel

MD5: c3b27caca053967254512220e101acde SHA-1: a6d33ecfe8d4113a7fdc74dbcc280b81a82a918f SHA-256: add0f7b8b4e8c0de85a59ad61f2d4e976edd8ba5392aad57ca2b791592c47382

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file contains legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristics. The document body presents itself as an invoice or report, a common lure for users to enable macros. The `RUN($B$1)` command within the macro sheet is particularly concerning as it can execute arbitrary code, potentially downloading and running a second-stage payload. The `DEFINE.NAME` function is used to set up the execution target for the `RUN` command.

Heuristics 3

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Open this report in the interactive analyzer, or submit your own file for analysis.