Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c036f2a72cbc405a…

MALICIOUS

Office (OLE) / .XLS

41.5 KB Created: 2020-09-28 00:53:43 Authoring application: Microsoft Excel
MD5: d735e9c1cf3d8008bbac1dec6c59adb7 SHA-1: 75ef3dea453591822f83c3e35b958b849520dc72 SHA-256: c036f2a72cbc405a755963bc72eed060b848905e33d51bd3be421c951764c7c0
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell T1566.001 Phishing: Spearphishing Attachment

The file is an Excel 4.0 macro-enabled spreadsheet. Heuristics indicate the presence of an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The macro sheet contains references to dangerous functions like RUN, suggesting it's designed to execute arbitrary commands. The presence of environment evasion checks further supports a malicious intent. The exact payload or download URL is not explicitly visible in the provided script excerpt, but the Auto_Open function is the primary mechanism for initiating the attack.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion HALT gate high OLE_XLM_ENVIRONMENT_EVASION_HALT
    Excel 4.0 macro sheet auto-executes multiple GET.WORKSPACE / GET.WINDOW environment checks and halts execution when the host does not match the expected user environment. This is a common sandbox-evasion pattern in XLM malware and is stronger than a bare XLM macro-sheet indicator.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
10a8af2d895599f6a69d554e5199c45ad9af0a60c7aedab2a31719258a274122		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 8199 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.