Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e5b5bf489563def6…

MALICIOUS

Office (OLE) / .XLS

73.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 5b51e9f3cd44c8def93ebae2a4b2eca1 SHA-1: 172a47fe28145c4b7459d435e01ee632a9e6ef5c SHA-256: e5b5bf489563def6d098f51265917a457aa5c9af2e2554f412aba4fa5e074ba4
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel 4.0 (XLM) macro-enabled spreadsheet. It contains an Auto_Open macro that uses dangerous formula APIs, specifically the RUN function, indicating an attempt to execute external code. The document body contains text that appears to be obfuscated instructions for creating a directory and downloading a file, likely an executable. The embedded URLs are suspicious and likely serve as the source for the payload. The presence of the RUN function and the lure to enable macros strongly suggests a downloader or dropper functionality.

Heuristics 5

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://congnghenhatnam.vn/iviipicu/Dm
    • http://congnghenhatnam.vn/iviipicu/530340.png

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
17d62dffcf07c659f9f15678f970f036909f6766571a316fdf924e2584ae5541		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3659 bytes
macros.bas
6482afb86d2ec7f1f8e6e88f38c92a22a2ebc9e6374d8b382d22d7c86011f736		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3253 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.