Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d3c0d990853f3b8c…

MALICIOUS

Office (OLE)

610.5 KB Created: 2020-05-04 21:59:42 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 76f0e6e9bfd4f6991976dcd0ec030d2a SHA-1: d17839bb38e3233890c169105f6d7c0a701a775b SHA-256: d3c0d990853f3b8c4c876d491d9654a61dd028e5913cac77438f63e943ab20f9
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file identified as containing encrypted Excel 4.0 macros, with multiple heuristics firing indicating the presence of such malicious content. The 'AUTOOPEN' heuristic suggests an attempt to automatically execute these macros when the document is opened, likely to download and execute a secondary payload.

Heuristics 3

  • OLE metadata lists many Excel 4.0 macro sheets high 2 related findings OLE_XLM_DOCPROPS_MACROSHEET_INVENTORY
    Workbook contains a BIFF Excel 4.0 macro-sheet marker and its clear OLE DocumentSummaryInformation stream lists many MacroN sheet titles. This is a useful static signal when FILEPASS encryption prevents formula extraction from the workbook stream.
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.