Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f56263ffcff07276…

MALICIOUS

Office (OLE) / .XLS

70.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 7d0d0339982b13de4b4de25b321c9eb1 SHA-1: 18a8bdbce2e7ad735c048b48d927aa94697dbd82 SHA-256: f56263ffcff07276139c9152b886f3a875d241ae1198d2f85e506560321998bb
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Excel 4.0 macro-enabled spreadsheet. The presence of an Auto_Open macro with dangerous functions, specifically the RUN function, indicates malicious intent. The macro likely attempts to download and execute a payload from one of the embedded URLs. The document body contains strings that appear to be API calls related to file and directory operations, further supporting the payload execution hypothesis.

Heuristics 5

  • XLM Auto_Open with dangerous formula APIs high OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ospwiazow.pl/lccucspkerw/D�
    • http://ospwiazow.pl/lccucspkerw/625986.png

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
2845de6dbd83c4e1cafa3d64878cdff91f23f28632933d8d06998c6ee4c4961f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 3702 bytes
macros.bas
8f1da3b9cfde2aea8d3e5eefb2ed308ddd13ef0003e05a3e9976c57190d9580d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2647 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.