Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bd55d3c0085173fb…

MALICIOUS

Office (OLE) / .XLS

53.0 KB Created: 2024-08-14 13:29:04
MD5: dcbf394c934be8771b33f4c230586fb1 SHA-1: e70bcef8d73f9151760b6aa115553d24e3d382cb SHA-256: bd55d3c0085173fb44813965730d602076675820fcc09e85b1f2c1445c99df97
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel 4.0 workbook containing an Auto_Open macro, as indicated by multiple critical heuristic firings. The macro sheet uses dangerous functions, including 'RUN', suggesting it is designed to execute arbitrary commands. The document body appears to be a payroll detail report, likely used as a lure to trick users into opening the malicious file.

Heuristics 3

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
369089c5a07bb30c6402de1d836f6ecfeccc55bdfacb9057850d6ec6aa5b6626		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 34439 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.