Office (OLE) / .XLS malware analysis — malicious · eb743e9a6469646a

MALICIOUS

Office (OLE) / .XLS

238.6 KB Created: 1999-12-24 16:36:33 Authoring application: Microsoft Excel

MD5: 64d9abb30615498bfd13b4b8d15a7554 SHA-1: 6889795d509504c79823c3e27158caad554774b9 SHA-256: eb743e9a6469646a47d013fd8a83eb67c711f6660f71bb90763733fffc5d4e02

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059.005 Visual Basic

The file is an Excel spreadsheet containing both VBA and Excel 4.0 (XLM) macros. The Workbook_Open VBA macro is present and appears to initiate a game-like interface. The XLM macro sheet is also present and likely contributes to the execution flow. The XOR-encoded strings heuristic suggests obfuscation techniques are in use. While the specific malicious payload is not immediately clear from the provided script excerpts, the presence of multiple macro types and obfuscation points to a malicious document designed to execute code upon opening.

Heuristics 5

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'LoadLibraryW', 'LoadLibraryExA', 'GetProcAddress', 'RegOpenKeyExA'
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `c2d076a6e609a8b33579240c4c97ddb741702fb224c691665176231441d0ac2f`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	17509 bytes
`macros.bas` `9b65a7c47a6b3b28f268b5c02efc23dbe1b810b50d113087b48df3f454639774`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27433 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 30 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.