Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fd6ebb1dbec17f8b…

MALICIOUS

Office (OLE) / .XLS

272.5 KB Created: 1995-05-29 15:50:39
MD5: 7227a1fd469a0294b8af000e369ad9e7 SHA-1: 2c2e786046a4c18201830f0a841ff234613a3ce7 SHA-256: fd6ebb1dbec17f8b7786a88938cae16d52455b483eb6d735635801a0b0399e49
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The file is an Excel 4.0 (XLM) spreadsheet containing both XLM and VBA macros. Heuristics indicate the presence of Auto_Open and Auto_Close macros, along with the use of dangerous XLM functions like RUN. The document body presents a fake invoice customization interface, suggesting a lure to trick users into enabling macros. While no specific URLs or executable payloads were extracted, the macro execution and lure suggest a downloader or initial access mechanism.

Heuristics 7

  • Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPEN
    Workbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
9fdf13e932d9b67ddfe4c71974259c4f65e6c1f64d90f2c084663e7e23251127		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 36284 bytes
macros.bas
65081495a65c007a2bc4fc5f6e4c737b29b82862bab2f03b02716509f3804ae7		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 39514 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.