Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 da61733e71fa28d0…

MALICIOUS

Office (OLE) / .XLS

31.0 KB Created: 2021-01-25 13:39:56 Authoring application: Microsoft Excel
MD5: c92ed3732d55ab2301ce75f9ab38048c SHA-1: 4efb6578e4bf918336e1ea91a584c2baf7f1658b SHA-256: da61733e71fa28d0e04d55a88ba1b512531a0f3ed56656e4cdd0fef0de7a4452
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Macro T1059.005 Command and Scripting Interpreter: Visual Basic

The sample is an Excel 4.0 (XLM) macro-enabled spreadsheet. It contains an Auto_Open macro that is triggered upon opening the workbook. The document body displays a lure instructing the user to 'Enable Editing' and 'Enable Content' to bypass security warnings. The XLM macro uses dangerous functions, including 'RUN', indicating it is designed to execute arbitrary commands. No specific second-stage payload or network indicators were extracted, but the presence of the Auto_Open macro and the lure strongly suggest a malicious intent to execute arbitrary code.

Heuristics 4

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
a7e6d839ca83eb6a098b6a2f6761efc0b56c9cba4f41c32027c84bae7ab8e8ff		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3477 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.