Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cf1f18b675120f83…

MALICIOUS

Office (OLE) / .XLS

258.5 KB
MD5: 92f013276bd184b61e9912df743051c5 SHA-1: 9ab3598a7525e60e29edacb85ca6a9148e952ec8 SHA-256: cf1f18b675120f83d0cd94574a624360f8794e3aca9152d6cb93d95d2a274323
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1059.004 Unix Shell T1059.003 Windows Command Shell T1059.006 Python

The file contains Excel 4.0 macros, specifically an Auto_Open macro that utilizes dangerous functions like RUN. The presence of ShellExecute and certutil API references indicates the macro is designed to download and execute additional malicious content. The VBA code, while truncated, also contains functions that appear to save files with .xls extensions, suggesting a multi-stage infection process. The ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 7

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • ClamAV: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Trojan-bf70f023603538ee-bf70f023603538ee-9950269-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to certutil (download/decode) high SC_STR_CERTUTIL
    Reference to certutil (download/decode)
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
669cc3e50e1843bcc39f11c844ab35e129b4185fc11cb6a4c374879bbfc982a7		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 5649 bytes
macros.bas
b10b3c2411dad3a119b953a14df4d49c08a4d0ed2ca4aa11995356167549f2ae		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1826 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.