Office (OLE) / .XLS malware analysis — malicious · b435bcf5fd952b36

MALICIOUS

Office (OLE) / .XLS

241.0 KB Created: 2007-05-24 21:07:24 Authoring application: Microsoft Excel

MD5: e6b4d4edf0943496a448927619055994 SHA-1: ef4c20f770ac0d002cab46bd6a388c3296b15d5d SHA-256: b435bcf5fd952b36e96bbd1b6aeb87e9e50a8cb3a8503b405a2178ffb68e2d0c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.002 Spearphishing Attachment

The file is an OLE Excel spreadsheet containing VBA macros, specifically an Auto_Open macro, indicating malicious intent. The document body contains financial data and tables, suggesting a lure for financial fraud or credential theft. The presence of an embedded URL, though benign, is noted. The Auto_Open macro is designed to execute automatically upon opening the document, likely to download and execute a secondary payload.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 246,784 bytes but its declared streams total only 130,342 bytes — 116,442 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `805c5668d9760380a782599e83f9202448f78b9008f101170b45555a2acfbfad`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3205 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.