Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 d3a2cf7d134dbf84…

MALICIOUS

Office (OLE) / .XLSX

228.5 KB Created: 2015-06-05 18:17:20 Authoring application: Microsoft Excel
MD5: b841b49e64712e70a331ea44867bf57b SHA-1: 991445cb72e36060b6d11073ade74b51aeecd49c SHA-256: d3a2cf7d134dbf84bc7851a60ffc247b0d40b267f795a611f6339a99e32bc9ec
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is an Excel 4.0 macro-enabled workbook containing an Auto_Open macro. The document body claims the file is encrypted and requires content to be enabled, a common lure for malicious documents. The Auto_Open macro uses the RUN function, indicating an attempt to execute external code. The presence of environment evasion techniques suggests the macro is designed to detect and avoid analysis environments.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • XLM Auto_Open environment-evasion HALT gate high OLE_XLM_ENVIRONMENT_EVASION_HALT
    Excel 4.0 macro sheet auto-executes multiple GET.WORKSPACE / GET.WINDOW environment checks and halts execution when the host does not match the expected user environment. This is a common sandbox-evasion pattern in XLM malware and is stronger than a bare XLM macro-sheet indicator.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
6d6fb562fc3288ce6cb471a98a63aad65cf06e29c6079537e3e6c44d07299f6c		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 329455 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.