Office (OLE) / .XLSX malware analysis — malicious · 1d31a4f8083ca448

MALICIOUS

Office (OLE) / .XLSX

19.6 KB First seen: 2022-03-24

MD5: 35b711bc37f7a3c2316a0d2338b3cd0f SHA-1: 6a4ead3778f047464779809bf45d7e64abb23bcd SHA-256: 1d31a4f8083ca448342f5d4110eb5abca5dd10a5a613b0dedcd0b6e02e08192c

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is an Office document that is password-encrypted and exhibits malformed structures, specifically CFB FAT corruption. This combination of encryption and corruption strongly suggests an attempt to hide malicious content or evade detection. While no specific payload or script was directly extracted due to the obfuscation, the heuristics indicate a deliberate effort to make the file difficult to analyze, often a precursor to delivering malware. The confidence is moderate due to the lack of directly executable code or network indicators.

Heuristics 3

Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED

Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE

OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML

OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.