Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 33db07f8a9b6fd5e…

MALICIOUS

Office (OLE) / .XLS

188.9 KB Authoring application: Microsoft Excel
MD5: 7b705d8fa0f39552e26935b96f3ae2f6 SHA-1: a44b9324283bc676d4b92654aa9931c1125403da SHA-256: 33db07f8a9b6fd5e5605d447073d79ad824c255b74b649e20995172d67a56fe1
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information

The sample is an XLS file containing VBA macros. Heuristics indicate the presence of XOR-encoded strings (key 0xDE) and a reference to VirtualAlloc, suggesting code execution. The VBA project itself contains no executable statements, but the presence of encoded strings and API calls points to a downloader or dropper functionality. The XOR key '0xDE' is identified as a key IOC.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.