Office (OLE) / .XLS malware analysis — malicious · d4fb2be15f60aae7

MALICIOUS

Office (OLE) / .XLS

855.5 KB Created: 2007-11-01 00:39:49 Authoring application: Microsoft Excel

MD5: 6d15d0d3d75656484cd5f53eed915b61 SHA-1: 8172e19d3f411b108e9b3559fc226635b6af00e2 SHA-256: d4fb2be15f60aae77e5d9fedbdc51edd1e5b10563e08bedaf88c642dc43e6335

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

This XLS file contains legacy Excel 4.0 (XLM) macros, identified by the 'OLE_XLM_AUTOOPEN' and 'OLE_XLM_DANGEROUS_FN' heuristics. The macros are associated with a known Excel Formula Macro Virus, 'XF.Classic', and mention 'Poppy by VicodinES' and 'The Narkotic Network 1998'. The embedded SWF file and the presence of dangerous formula APIs suggest an attempt to execute malicious code. The document body explicitly mentions infecting other workbooks and saving them as 'Book1.xls', indicating a self-propagating infection mechanism. The URL 'http://www.landto.com' is also present.

Heuristics 6

Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS

Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.landto.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `1d2b9ebc3a7f26d6a24a9094c9e46c9918f6d0b739248c7a6664fcfe4231b3d9`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	5216 bytes
`macros.bas` `545e9549479eb5f532c3a3116230ec9febfcd72f18ea3b525378fdc857dedce0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	693 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.