Office (OLE) / .XLS malware analysis — malicious · d5534017120e4cc6

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 2008-10-28 12:00:19 Authoring application: Microsoft Excel

MD5: 5faab97bf3c25e9653b93870facf82a2 SHA-1: 69aeb1e12b00b232eb887981d5af4e879d56c39a SHA-256: d5534017120e4cc693c1360dffec155f2b675237c639c3ae3a6f78c169a407f8

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell T1566.002 Spearphishing Attachment

The sample is an Excel file containing VBA macros, specifically an Auto_Close macro that is executed when the document is closed. The presence of CreateObject and GetObject calls suggests the macro attempts to interact with the system or other applications. The document body presents financial data, likely as a lure to encourage users to enable macros. The Auto_Close macro is a common technique for executing malicious code upon document closure, often used to download and execute further payloads.

Heuristics 5

Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `40650b52e45d145c06f524c3690972ec44b54ace06f557b239ae8c89e2e43c6e`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5557 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.