Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1fed6a73d96f2255…

MALICIOUS

Office (OLE) / .XLS

239.2 KB Created: 1999-12-24 16:36:33 Authoring application: Microsoft Excel
MD5: 6d2fd4e027b121049f98cdc2268d69a6 SHA-1: 3dcb7793b1f190ae1922bc6655a00ec0fa92d88a SHA-256: 1fed6a73d96f2255f1763fbf443514d3ec5fa06522e64a0b1a65e8f170e7516a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059.003 Windows Command Shell

This XLS file contains a Workbook_Open VBA macro that triggers a game-like interface when the user interacts with specific cells. The macro obfuscates its strings using XOR encoding with a key of 0xFC. While the macro's ultimate payload is not fully discernible due to truncation, the presence of obfuscated strings and the Workbook_Open trigger suggest a malicious intent, likely to download and execute a secondary payload or to phish for credentials.

Heuristics 5

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress'
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
c2d076a6e609a8b33579240c4c97ddb741702fb224c691665176231441d0ac2f		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 17509 bytes
macros.bas
17f070fbd1db17996c527b2aabff45e326f6930716fc4345abb4744d6a5f3704		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 27433 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 30 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.