Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b7d4f66a98e928df…

MALICIOUS

Office (OLE) / .XLS

124.5 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel
MD5: 87fc72adcb395eb083e076dc1cfa20c7 SHA-1: 67ac98ed09742ddb0a1ab68fc590c73cb2f79b1b SHA-256: b7d4f66a98e928dfb18d41021e5ad11043a3fc473c794edf481e8aa8c7cc9255
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The file contains Excel 4.0 macros, specifically an Auto_Open function, which is a known technique for executing malicious code upon opening the document. The macro utilizes dangerous APIs like RUN, indicating an attempt to execute external commands or download payloads. The embedded URL 'digitaldays.ro/site/brandupi.' is likely used to fetch a second-stage payload. The document body and heuristics suggest a lure impersonating a document signing service to trick users into enabling macros.

Heuristics 7

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URL
    Excel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime) or across individual numeric cells (one ASCII charcode per cell). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries plus LABELSST/RK/NUMBER cells.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://URLMonURLDownloadToFileArundll,DllRegisterServe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
4faf3105ecc2aac884cbb8f1af11f65b7e22c01c59a885436f8fe1fac847737b		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 7003 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.