Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 eb31f78af2a07bbc…

MALICIOUS

Office (OLE) / .XLSX

36.0 KB Created: 2020-11-25 10:36:52 Authoring application: Microsoft Excel
MD5: 103db66a795dc470b6c1049fa69d804c SHA-1: 46d327b87a520395762e822fd024ab9ac9e6b9d8 SHA-256: eb31f78af2a07bbc2c938d4b8f85d7c898ffdcb45c28502f59936a97016116ab
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains Excel 4.0 macros, specifically an Auto_Open defined name, which is a critical finding. This indicates the workbook is configured to automatically execute macro code upon opening. The presence of dangerous formula APIs, including the RUN function, further confirms the intent to execute arbitrary code, likely to download and run a second-stage payload.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
92b473e1b1e4835487e3be426522e8d6a2e5a0d7ce71f68bf6be579bf8a69c45		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6423 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.