Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd1aeac9f5cf64b6…

MALICIOUS

Office (OLE)

36.0 KB Created: 2020-11-27 11:41:18 Authoring application: Microsoft Excel
MD5: d42e08394682c9261515a28aaf5ee0b9 SHA-1: ae9a73a3d016355d65c696ae956da2a5066d3af7 SHA-256: fd1aeac9f5cf64b6f13c3e3ea6dc45ae6a99cfc302de5aef9216ee53bc7a9a40
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel 4.0 macro-enabled workbook. Heuristics indicate the presence of an Auto_Open macro and the use of dangerous functions, suggesting it's designed to execute code upon opening. The macro sheet contains obfuscated data and references to potentially dangerous functions, strongly implying it's a downloader or initial execution stage for further malicious activity.

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
55b02f7e1cc29388eb157153089c14ea5dba53d869ecb76698f2ba494abba274		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6605 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.