Office (OLE) / .XLS malware analysis — malicious · e289c996b68fa41c

MALICIOUS

Office (OLE) / .XLS

367.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 916981cd7b91785d166c0ccf8b551f23 SHA-1: 81b026444d54a9d72c39a4a13e07598b0a2200b6 SHA-256: e289c996b68fa41cc2da43cbb5f51c710e83738d32d29c1a377c78ba9132dc1c

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1204.002 Malicious File

The file contains Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_AUTOOPEN_DEFINEDNAME heuristics. It also employs a macro-enable lure to trick users into executing the malicious content. The embedded URLs suggest a downloader functionality, aiming to fetch and execute further stages of the attack. The specific macro content was too large to display but is presumed to be responsible for initiating the download.

Heuristics 4

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
URL https://smartpalakatva.com/edQsUZOLlE/th.html
- https://pilstlcommodities.com/Ov4FlB3lpy/th.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `e61304013e31eadd8bf35fc5d3e6cbadd61463966f2a2d09ae24f65eb0ee3106`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	8349 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.