Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 28a20e688e22505f…

MALICIOUS

Office (OLE) / .XLS

253.1 KB
MD5: c91a1ad2890873342c72d6fa20e1ea82 SHA-1: 8121e3fc31a5b8b5db3f8f03b472d0719696ff58 SHA-256: 28a20e688e22505f8c2c9b1bd4c0a5fa86405ccca750feeb7c7e2a386095e250
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The presence of XOR-encoded strings and a reference to the CreateProcess API strongly indicates that this XLS file is a malicious downloader. The encoded strings likely contain URLs for fetching and executing a secondary payload. While several URLs were extracted, three of them are marked as unknown reputation, making them potential indicators of compromise. The large slack space in the OLE document is also a common characteristic of packed or obfuscated malware.

Heuristics 4

  • XOR-encoded strings (key 0x98) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x98: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA'
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 259,208 bytes but its declared streams total only 56,346 bytes — 202,862 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cybafit.com/phpBB2/index.php
    • http://www.dietasia.com/inforoom/interactive/calculate.asp
    • http://www.esdlife.com/health/chi/life/toolkit/toolkit003.asp
    • http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.geocities.com/bread106/

Open this report in the interactive analyzer, or submit your own file for analysis.