Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e766fc1c1f28de99…

MALICIOUS

Office (OLE) / .XLS

203.5 KB Created: 2017-11-14 16:12:16 Authoring application: Microsoft Excel First seen: 2022-11-04
MD5: ba8fb1f562fa98142b301d9cda02bdb2 SHA-1: c74bd4ef28a9a416fbe53a36f4342ff7f4ca59bd SHA-256: e766fc1c1f28de99f23d5c6ae4d56c9d477294fe481bdec0f11767d70d5f0791
88 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros. Heuristics indicate a lure to enable macros and a lure to copy/paste content into a shell, suggesting a downloader or initial access mechanism. The document body contains text related to financial transactions and forms, reinforcing the lure. No specific URLs or executable payloads were directly extracted, but the presence of macros and lures strongly suggests a malicious intent to execute further stages.

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
ab52831cfa9d8c53699ccc0b2ee2579920e33d86cdf979ac45cdba9213dc24f1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 8710 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.