Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 3051f89d6336fcb2…

MALICIOUS

Office (OLE) / .XLS

67.2 KB
MD5: aa0c9b85900bbfd68c1ae197747247ae SHA-1: 0ad17ccc727292b8fc17213e674420d4bdbccc42 SHA-256: 3051f89d6336fcb27f1cb3dd6a749e78e424e343c4496d7348e6c224305cc706
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Excel spreadsheet that exhibits a NOP sled and a reference to the VirtualAlloc API, common indicators of shellcode execution. Although VBA macros could not be extracted due to an unsupported format, these heuristics strongly suggest the file is designed to deliver and execute a payload. The presence of a NOP sled indicates an attempt to bypass security controls by providing a buffer for shellcode.

Heuristics 3

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.