Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 de6a2d1048d82b94…

MALICIOUS

Office (OLE) / .XLS

4.62 MB Created: 2010-03-05 07:19:49 Authoring application: Microsoft Excel
MD5: f320121394f840a3648b2e5eb3d60f8f SHA-1: 8f164ec36b2d222a7471d628cc34c7fd938ad74b SHA-256: de6a2d1048d82b94dfa742ab5b6b102d6ae3cf09a4ffb682888fffe8678e5a4f
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file is an Excel 4.0 (XLM) spreadsheet containing Auto_Open macros, indicated by multiple critical heuristic firings including OLE_XLM_AUTOOPEN and OLE_XLM_DANGEROUS_FN. The presence of 'RUN=1' in the dangerous function API usage suggests the macro attempts to execute external commands. While no specific URLs or executable scripts were directly extracted, the nature of XLM macros with Auto_Open is commonly used for downloading and executing further stages of malware. The VBA project contains no executable statements, indicating the primary malicious functionality resides within the XLM macros.

Heuristics 5

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS
    Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
71bfb31b8c850861ded0784a29820b5edc48956f41f350fe85662203637614bb		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3698766 bytes
macros.bas
1b8b36902e4a9450549b807d4b79c9adc433e71056587f8e2a2ceab12172501d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.