Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d0c3c0a628fab694…

MALICIOUS

Office (OLE) / .XLS

58.0 KB Created: 2021-03-01 10:18:13 Authoring application: Microsoft Excel
MD5: 0714463d96c79ecd13d8faef1298ed43 SHA-1: 804fedd782a9137a4eac02fbab130e34d002105f SHA-256: d0c3c0a628fab6943e19098e3e75c42ea35d552a90e52f8384708c7a7a17832b
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is an Excel 4.0 workbook containing an Auto_Open macro, a common technique for executing malicious code upon opening. The 'SE_ENABLE_LURE' heuristic indicates the document likely prompts the user to enable content, facilitating the execution of the embedded macro. The macro sheet itself contains obfuscated commands and string concatenations, suggesting it is designed to download and execute a secondary payload. No specific family could be identified due to the generic nature of the lure and obfuscation.

Heuristics 4

  • XLM Auto_Open workbook with payload URL or enable-content lure critical OLE_XLM_AUTOOPEN_PAYLOAD_LURE
    Workbook contains an Excel 4.0 macro sheet with Auto_Open / Auto_Close and also exposes a payload URL or enable-content lure in the OLE bytes. This combination is a high-confidence XLM downloader/social-engineering pattern even when formula recovery cannot decode the full macro chain.
  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
cbaae356aa0ba5327769e7313197166de1ea083147e6c28d7c826baf347eb3f2		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 52129 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.