Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 427869a47516410b…

MALICIOUS

Office (OLE) / .XLS

150.6 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 8703ec47e116b30171002cd60dd68345 SHA-1: 0dbd621da55bdd04e5ff7a788f0bfce71ec5070e SHA-256: 427869a47516410b8442d38e86984055558fc6f4ab4526450179e8e938308233
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer T1071.001 Web Protocols

The file exhibits characteristics of a malicious document, including a large slack space anomaly and references to Windows API functions like CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting it attempts to load and execute code. The document body presents itself as an application form for various permits, likely a social engineering lure. While no scripts were extracted, the API calls indicate the potential for downloading and executing a second-stage payload.

Heuristics 6

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 154,240 bytes but its declared streams total only 21,308 bytes — 132,932 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms

Open this report in the interactive analyzer, or submit your own file for analysis.