Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d6c09de41bd3bd9b…

MALICIOUS

Office (OLE) / .XLS

135.1 KB Created: 2006-09-13 11:21:51 Authoring application: Microsoft Excel
MD5: 0a985e8213a1ebc7360fc7f42dd12f46 SHA-1: 12f06a612e20e5aeb6debb32fa3756168ff7c06d SHA-256: d6c09de41bd3bd9b4bbb69c67c56a84e6ef7ed1fe5e92a2b491ffa65c4eeacf1
68 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking

The critical heuristic firing indicates an embedded Adobe Flash (SWF) file within the OLE document. While the VBA project itself contains no executable statements, the presence of the SWF file is a strong indicator of malicious intent, likely serving as a delivery mechanism for exploits or further malware. The embedded URL, though confirmed benign, is noted.

Heuristics 3

  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
56845bb35fdf791b2d2b0ce90d464da9f81eef6f5c9562346451e8a85cc26aca		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 987 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.