Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bc324479cf7c5a54…

MALICIOUS

Office (OLE)

333.5 KB Created: 2020-07-13 11:03:58 Authoring application: Microsoft Excel First seen: 2020-09-07
MD5: a5119d58e00b88f212c911d2b703604b SHA-1: 4a8c4c3cbcb2c6bdd290263b2ef9a56d0ddf872a SHA-256: bc324479cf7c5a54989e6019cbe3598a1000d4fe1727c1a88edf3f7bd9b37257
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel 4.0 macro sheet that is encrypted, which is a common technique for hiding malicious content. The presence of an 'AUTOOPEN' macro further suggests that malicious code is intended to run automatically when the file is opened. The encrypted nature and lack of clear document body content prevent a more specific analysis of the payload or family.

Heuristics 2

  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.