Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 da94d399f1a6b636…

MALICIOUS

Office (OLE) / .XLS

205.0 KB Created: 2020-02-27 10:23:09 Authoring application: Microsoft Excel
MD5: 0205d0c8d0afd394f484cb5031e9aa94 SHA-1: bcf1b90efafe60f1f881c2ad72d1db2b90167d34 SHA-256: da94d399f1a6b636e447d080eba4fa73fff1fe417271ad162af80f0d2e7da8ee
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel 4.0 (XLM) macro-enabled spreadsheet. Heuristics indicate the presence of an Auto_Open macro that uses dangerous formula APIs, specifically the RUN function, to execute commands. No URLs or scripts were extracted, but the presence of the XLM macro strongly suggests an attempt to run arbitrary code upon opening.

Heuristics 3

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/DataMashup

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
973546c04f9e928f3c124f1c716a2d34842b91308df6a2fe300aa0fcacd085f9		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 39856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.