Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e4d560c489dba283…

MALICIOUS

Office (OLE) / .XLS

81.0 KB Created: 2021-03-18 07:16:28 Authoring application: Microsoft Excel
MD5: 1a49fe1a9c135ccd9c9f2d9cf395f378 SHA-1: 24d6ab599cef554a8e8e6b2e3abffb7072e6e1db SHA-256: e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.002 Spearphishing Attachment

The presence of a Workbook_Open macro, combined with a CreateObject call and a long encoded blob within the VBA macros, strongly suggests malicious intent. The Workbook_Open macro is a common technique for automatically executing code when a malicious Excel file is opened. The CreateObject call is often used to instantiate objects for downloading or executing further payloads. While no specific URLs were extracted, the overall structure points to a downloader or droppper functionality.

Heuristics 6

  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a58eee81d68176eaaeade62eae39dedc6d13563c8629ea088c9cc53e49399412		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5857 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.