Malicious Office (OLE) / .XLSX — malware analysis report

Heuristics 12

• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
• Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
  Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
• OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
  OLE file is 220,672 bytes but its declared streams total only 106,851 bytes — 113,821 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
• OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
  OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
• Workbook_Open macro high OLE_VBA_WBOPEN
  Workbook_Open macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Fake invoice / payment lure low SE_INVOICE_LURE
  Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://limarija-das.hr/wp-conte

  • https://steijnborg.mobilitum.com/wp-content/themes/twentytwentyone/templa�
  • https://ar5E*f#teecaligrafia.com.br/image5E*f#ns/fotos/thumbs/MupJ4cZzxoElmn.php
  • https://limarija-das.hr/wp-content/plugins/wp-optimize/js/handlebars/CJrMovjhM.php@OoG)o;W|jz
  • https://steijnborg.mobilitum.com/wp-content/themes/twentytwentyone/template-parts/content/WjovFkpG3.phpAPyJL
  • https://blog.bitz.pe/wp-content/plugins/wpforms-lite/vendor/goodby/csv/src/Goodby/CSV/Import/Protocol/Exception/M7yde0cw.phpQOjdAH+H|M
  • https://ahd_O$Bn
  • https://courieradmin.pheG&Eo
  • https://sierraimoveis.com.br/manager/boweY1O46qlr_components/bootstrap/lessY1O46ql/mixins/BpZbPd8mY0.php
  • https://fitzgeraldstreet.com/ap-photos/themes/modus/css/fontello/1j5yZLSi4VE.phpc/5NT5j
  • https://tricommanagement.H4t9ioH4t9irg/fonts/H4t9ifont-awesome-4.7.H4t9i0/css/zhk1GWeH4t9idvcwJJJ.php

Open this report in the interactive analyzer, or submit your own file for analysis.