Office (OLE) / .XLS malware analysis — malicious · f3a82efd0f36c9cb

MALICIOUS

Office (OLE) / .XLS

48.5 KB Created: 2020-11-16 12:25:15

MD5: 9506923c68652e444b7100588676f37b SHA-1: 3a75668693d87f46894b10e67283d7c89197319e SHA-256: f3a82efd0f36c9cb653b4527855662d7f30f9db2871eef5e6f54d06d869a4113

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The file is identified as malicious due to the presence of VBA macros that launch decoded Excel 4.0 macros via ActiveX events. This technique is commonly used to execute arbitrary code, often to download and run further malicious payloads. The obfuscated document body content and the nature of the heuristics suggest a downloader or stager functionality.

Heuristics 2

VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGER

VBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `bb395f56140a6cc0cafc305f44c7e513b46c41fef80c6c9e1db5f90e088c183a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.