Office (OLE) / .XLSX malware analysis — malicious · c0f31593f9d5a373

MALICIOUS

Office (OLE) / .XLSX

36.0 KB Created: 2021-02-16 08:47:01 Authoring application: Microsoft Excel

MD5: e2a96532b98efb6f314346a53b87cfe6 SHA-1: 8b00fadfad2de2c7908a5f01ab6247b6af28054d SHA-256: c0f31593f9d5a37357d90bee484a2be8ef834cd902d9b9e05127308c7efc02d9

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a known technique for executing malicious code upon opening the workbook. The macro sheet itself is heavily obfuscated, making it difficult to determine the exact payload or further actions. However, the presence of the Auto_Open entry strongly indicates an intent to run arbitrary code.

Heuristics 2

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `5fd06a1388b29a5bce65dc72014389d3706c6ba8f4fe875ed9493d7a3520fedd`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	16890 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.