Office (OLE) malware analysis — malicious · de7afbff0c13f792

MALICIOUS

Office (OLE)

3.67 MB Created: 2000-05-02 12:01:22 Authoring application: Microsoft Excel

MD5: 8f3c8354e8ba423cbd6cf8b7125202c3 SHA-1: db9c2ddf534ade300603f9158d55001ec2e663df SHA-256: de7afbff0c13f7920345d89fa299f3e8f34c33635f8f60ed4d51a0fda80a2634

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell T1204.002 Malicious File: Malicious File

The critical heuristic OLE_XLM_AUTOOPEN indicates the presence of Excel 4.0 macros, a technique often used for initial execution. The OLE_XLM_LEGACY_MACRO_VIRUS firing further supports this, pointing to a legacy macro-virus family. While no specific scripts were extracted, the presence of these legacy macro indicators suggests the file is designed to run arbitrary code upon opening, likely to download and execute a secondary payload. The document body content appears to be related to construction cost estimation, which may serve as a lure.

Heuristics 3

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `0823dada47768c3bc5e0170015ff256fae5adae80944ef398aea0e657b483a68`	ole-package	OLE Ole10Native stream: MBD00040EED/Ole10Native	69572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.