Office (OLE) / .XLS malware analysis — malicious · c3235ddd1e9475e3

MALICIOUS

Office (OLE) / .XLS

2.77 MB Created: 2000-05-26 16:45:09 Authoring application: Microsoft Excel

MD5: fc3907056703f77c9c611ffb3f9ebbb2 SHA-1: 2d196523e6c5fac2d45131bf56e9b70a29e9a40f SHA-256: c3235ddd1e9475e34290880f969ab56510eb72bbed2aa509072c1a5ee4ec0ea9

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is identified as a malicious Excel 4.0 (XLM) spreadsheet due to the presence of Auto_Open macros and legacy macro-virus markers. The document body contains Vietnamese text related to construction project cost estimation, which serves as a lure. While no specific malicious script actions were fully extracted due to truncation, the presence of XLM macros strongly suggests an intent to execute arbitrary code, likely for further payload delivery or system compromise. The file path 'C:\DUTOAN97\CUOCVC.DBF' is also present, which may be related to the macro's operation.

Heuristics 3

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `16ee33d491c253f76cbb7a2479e0642ffde728b0767c339746a8c09537bf8794`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5051 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.