Office (OLE) malware analysis — malicious · d8617aed064883d8

MALICIOUS

Office (OLE)

3.29 MB Created: 2010-03-11 06:31:09 Authoring application: Microsoft Excel

MD5: b91d8263419929ba66e1f5a8b80e0139 SHA-1: fd7736afab1eb0f9077be6fc06e9bafcd3297091 SHA-256: d8617aed064883d863e545aa0503015d1b7a2832d2827d0cf58e2b73286c3880

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file is an Excel document containing legacy XLM macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristics. These macros are designed to execute automatically upon opening. The embedded URL, http://150.1.154.4/My%20Documents%5CBook.xls, is likely used to download and execute a secondary payload, which is a common technique for malware delivery.

Heuristics 3

Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
Excel 4.0 (XLM) Auto_Open + macro sheet high OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://150.1.154.4/My%20Documents%5CBook.xls

Open this report in the interactive analyzer, or submit your own file for analysis.