Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bb74f9285e3142fb…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:38:34 Authoring application: Microsoft Excel
MD5: 8e6de0a3188e56b76f0dd51db32722c7 SHA-1: cb8260272a5bcf24131619cc3b35c313687c5cfe SHA-256: bb74f9285e3142fb5724f2299ea18ff7cd41493507ab1cc3e9f7163edbb597f9
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The critical heuristics indicate the presence of Excel 4.0 macros, specifically an Auto_Open function, which is a known method for executing malicious code within older Excel versions. The macro sheet contains dangerous formula APIs, suggesting it's designed to run arbitrary commands. No specific IOCs like URLs or hashes were extracted, but the technique itself is a high-risk indicator.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
c115ae5fb98e2369e1ae6182ea86afe388647970f6ea589883daba57156bbf31		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6723 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.