Office (OLE) / .XLS malware analysis — malicious · eb3cd37d6afb0993

MALICIOUS

Office (OLE) / .XLS

1.82 MB Created: 2010-06-04 17:26:48 Authoring application: Microsoft Excel

MD5: 67e98177aa79219e0c1bdca5d6aee947 SHA-1: 13f88b831601d03afa6cb59413044cc1f6528bf3 SHA-256: eb3cd37d6afb0993d6171bcce1e612a285b060d757707ce8451c07623dd15cb5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell

The sample is an Excel file containing legacy Excel 4.0 (XLM) macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_LEGACY_MACRO_VIRUS heuristic firings. These macros are known to be used for executing arbitrary code. The document body appears to be a construction cost estimate, which is likely a lure to disguise the malicious macro execution.

Heuristics 2

Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN

Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
Legacy XLM macro-virus family marker critical OLE_XLM_LEGACY_MACRO_VIRUS

Workbook contains an Excel 4.0 macro Auto_Open chain and legacy macro-virus family strings. This is a narrow indicator for infected XLM workbooks rather than ordinary formula use.

Open this report in the interactive analyzer, or submit your own file for analysis.