Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4107a0f8635eb942…

MALICIOUS

Office (OLE) / .XLS

284.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 9a4eed46e432d9ef87d12acca351e251 SHA-1: 36d2cc9b453283cf43755a026a696f7ee53c3961 SHA-256: 4107a0f8635eb942311ff1e6c2bd2de95ed9ef93ff90fb8a83c4c62158d75c13
380 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel file with a large slack space anomaly and an embedded PE executable. Heuristics indicate the use of WinExec, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, suggesting the execution of downloaded or embedded code. ClamAV identified the file as Win.Trojan.Downloader-46761. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader for further stages.

Heuristics 9

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Downloader-46761 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Downloader-46761
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 291,264 bytes but its declared streams total only 21,308 bytes — 269,956 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000fe60.exe
abce17d045aba81126b3d0eb0d742d173286188aad4a96f6846fc81c94e364f3		 embedded-pe Office MZ+PE at offset 0xFE60 226144 bytes
Detection
ClamAV: Win.Trojan.Downloader-46761
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.