Office (OLE) / .XLS malware analysis — malicious · c1733e867b91d2f1

MALICIOUS

Office (OLE) / .XLS

12.0 KB Created: 2026-04-05 23:05:42 Authoring application: Microsoft Excel

MD5: 1dbffdeb2bd817f2ce154eb64e78b7da SHA-1: efa8bded7dad62ea644569e7c1ec6f1cd9ef2fb9 SHA-256: c1733e867b91d2f1a95abbcfbb9fbb843ef81e3b6af7fbeafb6d9120ad04cb3a

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The file is an Excel XLS document containing an encrypted Excel 4.0 macro sheet, indicated by the OLE_XLM_ENCRYPTED_MACROSHEET and OLE_XLM_AUTOOPEN heuristics. The SC_STR_WSCRIPT heuristic suggests that Windows Script Host is being referenced, which is commonly used to execute malicious scripts. While no specific URLs or hashes were extracted, the presence of these indicators points to a macro-based attack designed to download and execute a secondary payload. The VBA project itself contains no executable statements, indicating the malicious logic resides within the XLM macros.

Heuristics 4

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET

Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Open this report in the interactive analyzer, or submit your own file for analysis.