Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 0beb6df1d5b25152…

MALICIOUS

Office (OLE) / .XLS

247.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 4a09cad5d7192f2f89662eaa2e3ada4c SHA-1: 6653adf68230a6ba05202cffd2e4e42d92f68595 SHA-256: 0beb6df1d5b251523169e0de3b55c9413d8c2e1e9a3e55513004d678049c0f2c
462 Risk Score

Malware Insights

MITRE ATT&CK
T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The analysis identified an embedded executable and a script within an OLE package, indicating a dropper functionality. The script is explicitly flagged as a download-and-execute mechanism, fetching a payload from http://www.koreanews.cc/images/zz.jpg. Numerous heuristics related to shellcode execution, PEB access, and API calls like CreateProcess and ShellExecute further support its malicious nature.

Heuristics 12

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.koreanews.cc/images/zz.jpg

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004118.exe
21cb8a06a6bb4acc25a4dfcfa2e1a110688e0ae1e719fd545b24365e5deb33fc		 embedded-pe Office MZ+PE at offset 0x4118 236264 bytes
ole10native_00.bin
26ccca25d507b9daed47f1f0d62215366fc882256b78456c03a87ecf298543cf		 ole-package OLE Ole10Native stream: MBD001A44E1/Ole10Native 213072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.