Office (OLE) / .XLS malware analysis — malicious · b5dfd308c1b2a896

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2020-12-11 10:11:01 Authoring application: Microsoft Excel

MD5: daec5f6a115a50bb689a9784113d54ab SHA-1: b69978d63c68b096be7fbdd3b0583c48183eaf16 SHA-256: b5dfd308c1b2a8967e38d380dcff4de930185b7f560feef786a6378fa998b06d

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is an Excel 4.0 macro-enabled spreadsheet. Heuristics indicate obfuscated macro chains and the presence of embedded OOXML, suggesting a complex execution flow. The document body presents a fake invoice, a common lure for malicious documents. The obfuscated XLM macros likely attempt to download and execute a second-stage payload, though the exact mechanism is obscured.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `ffdb416cad550b900b25768e8b8d098d76c43bf7ee83799ea74e8611898a6b0c`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3494 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.