Office (OLE) / .XLS malware analysis — malicious · d6063921e36b1241

MALICIOUS

Office (OLE) / .XLS

32.5 KB Created: 2020-12-11 12:13:22 Authoring application: Microsoft Excel

MD5: 5c78e4a9ca8178621432bec41dfe82ce SHA-1: bc2d2d2c559395f29835876a196b96b7f5763561 SHA-256: d6063921e36b12414d769eda7cf5715541d149e54168128ceeb800a05f9f2b3d

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications

The presence of an Excel 4.0 macro sheet and an obfuscated defined-name chain indicates malicious intent. The document body suggests a lure related to an invoice, prompting the user to interact with the sheet. The macro sheet contains references to other cells and string constants, suggesting it is designed to execute commands or download further payloads.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `eee0aa721b2ad5724cca6e38d5390497f14b52c8773f1b381b2f20716fb793fd`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.