Office (OLE) / .XLS malware analysis — malicious · d9b3703b3bac23fc

MALICIOUS

Office (OLE) / .XLS

326.5 KB Created: 2020-06-22 06:07:04 Authoring application: Microsoft Excel

MD5: d9f225f11d7c0eb7045e301f134177de SHA-1: 4f42db7dd8d92ff880ad3d1b66e141514170ea69 SHA-256: d9b3703b3bac23fc1950878f68150d2970003f91439f9eea076066fd793aa8cf

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical heuristic OLE_XLM_AUTOOPEN_DEFINEDNAME indicates the presence of an Excel 4.0 Auto_Open macro, which is designed to execute automatically when the workbook is opened. ClamAV also detected this file as Xls.Dropper.Agent-8227479-0. The macro sheet contains a reference to 'njYsiZnxggTGhEQ!BM34734' which is likely the entry point for the malicious execution chain, suggesting it acts as a dropper.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
ClamAV: Xls.Dropper.Agent-8227479-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-8227479-0
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `c1ee604feb4bbcdce3d90b0cd85b59c3ce6ec097792f44f8024e5273bb991f93`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	227976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.