Office (OLE) / .XLS malware analysis — malicious · 3116749d0d464d9c

MALICIOUS

Office (OLE) / .XLS

81.4 KB Authoring application: Microsoft Excel

MD5: 66d32e29525146321a7fd4d1611a5f98 SHA-1: e0edcb577b2aa7bad42ee670fcd92174e430177a SHA-256: 3116749d0d464d9ca136ffc0cdeee55ce45bac7bef957658d5887a3bdd97556e

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The file is an Excel spreadsheet with a verdict of malicious. Heuristics indicate the presence of XOR-encoded strings and a reference to VirtualAlloc, suggesting code execution and obfuscation techniques. Although the VBA project contains no executable statements according to the heuristic, the presence of encoded strings and API calls implies that the macro is likely used to download and execute a second-stage payload. The document body is heavily corrupted and does not provide further context.

Heuristics 3

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.