Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9247ffb2c27b307…

MALICIOUS

Office (OLE)

358.5 KB Created: 2020-04-01 21:39:42 Authoring application: Microsoft Excel First seen: 2020-07-24
MD5: 5f474866fcad7e2c9417c7edf87583f6 SHA-1: ed22bfd990150a705ea1076732516f1686b6cc5c SHA-256: f9247ffb2c27b307868d9e3e9254b778d52151fb1b4c38d640ca21c792d0d79c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-7660789-0. Static analysis revealed an encrypted Excel 4.0 macro sheet, indicating the presence of executable macro code. This type of macro is commonly used to download and execute further stages of malware.

Heuristics 3

  • ClamAV: Xls.Dropper.Agent-7660789-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7660789-0
  • Encrypted Excel 4.0 macro sheet high OLE_XLM_ENCRYPTED_MACROSHEET
    Workbook contains an Excel 4.0 macro sheet and BIFF FILEPASS encryption. Password-protected XLM macro sheets, especially the default Excel password path, are a common malware evasion pattern because static formula extraction may fail until the workbook is decrypted.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.