Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 2c52683382f1cf29…

MALICIOUS

Office (OLE) / .XLS

217.8 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: e97ad3ecf3acd5d7ce7e13070788b3e7 SHA-1: 501fde44efc72b7d70080cb21e596196585a9eaa SHA-256: 2c52683382f1cf2919505fe994bb4ce0cfa5a635cda5da82bc8781cebea5a027
180 Risk Score

Malware Insights

MITRE ATT&CK
T1105 Ingress Tool Transfer

The critical heuristic OLE_EMBEDDED_EXE indicates the presence of a Portable Executable (PE) file embedded within the OLE document. The high-severity heuristics SC_STR_LOADLIBRARY and SC_STR_GETPROCADDRESS suggest that code within the document is attempting to dynamically load and execute this embedded payload. The OLE_SLACK_ANOMALY further supports the presence of hidden or obfuscated data, common in malicious OLE files. The embedded executable is the primary IOC.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 222,980 bytes but its declared streams total only 24,565 bytes — 198,415 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a800.exe
80a9d5d83474c5570bce249595b202497688dfdcc242036132378ec960fde493		 embedded-pe Office MZ+PE at offset 0xA800 179972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.