Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 3f1b597a9d44d906…

MALICIOUS

Office (OLE) / .XLS

185.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 085dbd6c690f06e94fdb4325c1da57c8 SHA-1: ff30471902c6b022e3d8ae95b2c650947d78fb02 SHA-256: 3f1b597a9d44d906db77037184cf1cdbd39c986e9fc795c45043116315771c2f
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32 T1059.005 Visual Basic

The sample is an Excel spreadsheet containing VBA macros. Heuristics indicate the use of WinExec, CreateProcess, LoadLibrary, and GetProcAddress APIs, along with suspicious cmd.exe invocation and visible LOLBin command execution instructions. The embedded artifact 'macros.bas' likely contains the malicious VBA code. The presence of 'res://srvwiz.dll/default.hta' and 'about:blank' as URLs suggests the macro attempts to download and execute a second-stage payload, possibly an HTA file, using Windows scripting tools.

Heuristics 11

  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 189,952 bytes but its declared streams total only 42,689 bytes — 147,263 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.interwoven.com/mediabin/1.0/
    • http://investor.msn.com/external/excel/quotes.asp?SYMBOL=[
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
73fe284b1e885bd0405ecb421b1224021163ce4aa3bca30e5a2deb64f9916b3c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.