Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 34da362a8dc27010…

MALICIOUS

Office (OLE) / .XLS

166.5 KB
MD5: b97bdfce1eb173c3993e1e6ea84f163a SHA-1: 61b56e20cd99fc3c7474ff3cc89dacd93a28631b SHA-256: 34da362a8dc2701065dfc11ade6695fd9c440134a5fb921f64df4bc05339be5f
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols

The sample is an OLE Excel file exhibiting a large slack space anomaly, indicative of packed or obfuscated content. High-severity heuristics indicate the presence of API hashing and PEB access, common techniques for shellcode execution. References to CreateProcess, LoadLibrary, and GetProcAddress suggest dynamic loading of malicious code. While no specific VBA scripts were extracted, the overall heuristic profile strongly suggests a macro-based execution chain. The embedded URLs, though currently benign, are often used for initial staging or command and control.

Heuristics 8

  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 170,496 bytes but its declared streams total only 56,346 bytes — 114,150 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Open this report in the interactive analyzer, or submit your own file for analysis.