Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ce5c0415fb519d2a…

MALICIOUS

Office (OLE)

121.0 KB Created: 2020-04-23 15:30:58 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 246dca361689c0c7d0e9f80d5e6de0b2 SHA-1: 42ed03e2d43942aee5499810c0384e261d1b5f13 SHA-256: ce5c0415fb519d2a4105e370d658377b1da37c30d02a2ba6abafd77721a099d9
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an encrypted Excel 4.0 macro sheet, indicated by multiple heuristic firings including 'OLE_XLM_ENCRYPTED_MACROSHEET' and 'OLE_XLM_AUTOOPEN'. The presence of encrypted macros strongly suggests the file is intended to execute malicious code, likely for initial access via spearphishing attachment. No specific family could be identified due to the encryption and lack of further script content.

Heuristics 3

  • OLE metadata lists many Excel 4.0 macro sheets high 2 related findings OLE_XLM_DOCPROPS_MACROSHEET_INVENTORY
    Workbook contains a BIFF Excel 4.0 macro-sheet marker and its clear OLE DocumentSummaryInformation stream lists many MacroN sheet titles. This is a useful static signal when FILEPASS encryption prevents formula extraction from the workbook stream.
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.