Office (OLE) / .XLS malware analysis — malicious · c81db11bc768417e

MALICIOUS

Office (OLE) / .XLS

1.27 MB Created: 1999-10-14 12:43:09 Authoring application: Microsoft Excel

MD5: ca83ff78445f15ee44964fc3d2eda061 SHA-1: 05124e519147fc9649f302120387047f68491b38 SHA-256: c81db11bc768417eea9c1cd510a07906844ea226961f7540aece898f92904988

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file with a critical heuristic firing for a 'Legacy Excel formula macro virus marker'. While no VBA macros were found to be executable, the presence of this marker and an Equation Editor OLE object indicates a high likelihood of malicious intent. The document body contains what appears to be a mix of technical terms and what could be interpreted as financial or logistical data, but without executable scripts or URLs, the exact attack vector is unclear. The confidence is reduced due to the lack of active script execution.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `52c6f973d36f83aab22665895a6ddd290b5aa3fd9a9ca6129b95768d210a7b28`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1209 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.