Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 dcf72aa38ac3dfd0…

MALICIOUS

Office (OLE) / .XLS

2.12 MB Created: 1999-10-14 12:43:09 Authoring application: Microsoft Excel
MD5: 80c83b56e1fe3e434afa9831c71bbd43 SHA-1: 361b73836b8e8a09298e52fc1aed8b14b4a0962f SHA-256: dcf72aa38ac3dfd029fe60ddfca99982cf75e95f618dc2d56b8a78caff546cba
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel spreadsheet containing VBA macros and an embedded Equation Editor OLE object, both of which are common indicators of malicious documents. The presence of the 'OLE_XLS_FORMULA_MACRO_VIRUS' heuristic strongly suggests legacy macro-based malware. While the document body contains what appears to be technical data related to railway infrastructure, the core malicious functionality is likely within the VBA macros, which are known to be used for exploitation or payload delivery.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUS
    Workbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cd4bb1afcbccfc38416c20c6a7b949a617323fffd4816821b895e207ffec3d52		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.