Malicious Office (OLE) / .XLSX — malware analysis report

Heuristics 11

• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
• OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
  OLE file is 227,840 bytes but its declared streams total only 111,991 bytes — 115,849 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
• OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
  OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
• Workbook_Open macro high OLE_VBA_WBOPEN
  Workbook_Open macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• VBA macros detected medium OLE_VBA_MACROS
  Document contains VBA macro code
• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
• Fake invoice / payment lure low SE_INVOICE_LURE
  Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
  URL https://monarchmedical.co.uk/ven�Vt���

  • https://es.e-m2.n�
  • https://santorinitr�������}A
  • https://ahd|d5%lYm|d5%lYspor|d5%lYt.com/boots|P
  • https://monarchmedical.co.uk/vendor/bootstrap/css/xrKVZy8sh5ri.phpp0BH;VN-Gk
  • https://courieradmU
  • https://t$7%So)Weste.sitiodoastronauta.com.br/wp-includes/js/tinymce/plugins/charmap/M19jooPri8Tq.php
  • https://es.e-m2.net/wp-includes/js/tinymce/themes/inlite/8S7qnln7.phpe9(wSz|7=@7Qp4
  • https://dev1.whoatemylunch.org/wpjL02,-includes/js/tinymce/themes/inlite/hxXjL02,jL02,HK0N6.php
  • https://santorinitravel.naturalgraphic.hu/wp-content/plugins/cookie-law-info/public/css/l5e7I9bjYqmEQ.php/b&wtz&_UaC1BgqK
  • https://adamjeecommodities.com/wp-content/themes/adamjeecom/inc/options/kUQIZCFicsJ.phpamzj1iLrO
  • https://ahd|d5%lYm|d5%lYspor|d5%lYt.com/boots|d5%lYtrap/scripts/_notes/Xwi4K0Brmw|d5%lYX6|d5%lYhf.php

Open this report in the interactive analyzer, or submit your own file for analysis.