Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ca9e8b79b78e098a…

MALICIOUS

Office (OLE) / .XLS

39.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 6cc7df2d44bf2220b450de714b835f93 SHA-1: ba9070d5bb7b6bb7d6cf09fe4d8a74dba1e60db7 SHA-256: ca9e8b79b78e098ae0cd88816c4c0170b574f97688f2f69d72a4c542a965d60f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file is an Excel 4.0 (XLM) macro-enabled spreadsheet. The 'SE_ENABLE_LURE' heuristic indicates the document attempts to trick the user into enabling macros. The presence of XLM macros, specifically using dangerous functions like RUN, suggests the macro is designed to download and execute a payload from the embedded URL. The DOC BODY contains text that appears to be part of a lure, referencing 'DocuSign' and a URL.

Heuristics 5

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sujalamcropcare.com/ds/0302.gif�
    • https://sujalamcropcare.com/ds/0302.gif

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
f741cbc5df6bce6de1a0d76af71299cf1a142172d848fb0369422b28df1e2ed4		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 4174 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.