Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b564767e64b24a22…

MALICIOUS

Office (OLE) / .XLS

70.0 KB Created: 2020-09-20 21:17:44
MD5: 737f00c21bf4fcae1d80df11a03075af SHA-1: f0ee670f88dd111cb4a47d84f4d4ab0142f82f8c SHA-256: b564767e64b24a22fdafa32b041f8a36910d0fd9504adfbc91dc16d0d8fcee9e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1059.001 PowerShell

The sample is an Excel 4.0 macro-enabled spreadsheet. The presence of an Auto_Open macro with dangerous formula APIs, specifically the RUN function, indicates an intent to execute arbitrary code. While the embedded URL is currently flagged as benign, the macro's functionality strongly suggests it is a downloader or dropper for malicious payloads. No specific family could be identified.

Heuristics 3

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cutt.ly/ZhW3tvR

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
ba8a637f91bb81c5d4f6bc6d1c13d8343d735f9fe87b511e60c1c31e5544ffdb		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 1947 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.