Office (OLE) / .XLS malware analysis — malicious · b31fb28f79a1848b

MALICIOUS

Office (OLE) / .XLS

390.0 KB Created: 2020-09-20 21:17:44

MD5: f732c40f9b06280941bde5c5422579ad SHA-1: 1efde45ae155bd31441b3fd3b8f57f5ac6b24de4 SHA-256: b31fb28f79a1848b85189158b6a0f36e5343dcd0601f4cdb633f1a85e778825d

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The presence of Excel 4.0 macros, specifically triggering the OLE_XLM_AUTOOPEN and OLE_XLM_DANGEROUS_FN heuristics, indicates that the file is designed to execute malicious code upon opening. The dangerous formula API 'RUN' suggests the macro attempts to launch an external process. While the embedded URL is currently flagged as benign, it is likely used to fetch and execute a secondary payload, which is a common technique for malware delivery.

Heuristics 3

XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://cutt.ly/ChWNf5G

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `3a7be3430046a32f6d07a3632f3f8b759e4df585d1515e9bb13680603c33d20a`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	1570 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.