Office (OLE) / .XLS malware analysis — malicious · ced1af6aae3c0cef

MALICIOUS

Office (OLE) / .XLS

289.0 KB Created: 2020-09-30 08:38:18

MD5: 6069606d459d41b23c3158cf3e8fc10c SHA-1: 5bd8e544a1db75509055b11b9751931f42ea207b SHA-256: ced1af6aae3c0cef124b060abd5ff6eab7669d6fc32cf65601b23136d741bc49

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059.001 PowerShell

The file is an XLS spreadsheet containing VBA macros. A high-severity heuristic indicates the presence of a Workbook_Open macro, which is designed to execute automatically when the file is opened. This macro likely attempts to download and execute a second-stage payload, a common technique for initial access. No specific family could be identified, and no IOCs were directly extractable from the provided evidence.

Heuristics 4

Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `5563892c6821f165eac00852d4d6c1d9c8a72a3bea0574aa70a0d23ef6dc5dfc`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4894 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.