Office (OLE) / .XLS malware analysis — malicious · f9adf499bc16bfd0

MALICIOUS

Office (OLE) / .XLS

33.0 KB Created: 2021-01-19 10:09:45 Authoring application: Microsoft Excel

MD5: 20ce34e6dfd1f17d5e1e8564167c23bd SHA-1: 984045d9a670b781f4712611c87cc191380ef6f9 SHA-256: f9adf499bc16bfd096e00bc59c3233f022dec20c20440100d56e58610e4aded3

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment

The file contains obfuscated Excel 4.0 macros, indicated by the OLE_XLM_AUTOOPEN and OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN heuristics. The document body presents a fake invoice and instructs the user to enable content. The macro chain is obfuscated and appears to be designed to download and execute a secondary payload, though the specific download URL or execution method could not be fully reconstructed due to the obfuscation.

Heuristics 2

Obfuscated XLM defined-name macro chain high OLE_XLM_OBFUSCATED_DEFINED_NAME_CHAIN

Excel 4.0 macro sheet uses many random-looking defined-name references, state-changing formulas, and control-transfer formulas while carrying embedded OOXML ZIP content in the workbook stream. This is a malicious XLM macro pattern rather than a document-parser CVE.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`xlm_macros.txt` `c89517c92003e426158ebc012c15cf364bcd94046ad756c1db9dfe43fb1a37e8`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	3528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.