Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 44f2152851b954c6…

MALICIOUS

Office (OLE) / .XLS

148.2 KB Authoring application: Microsoft Excel
MD5: beaeef82578b6fde69203a837bcc3581 SHA-1: 19f7d9b093c06fcd9f8e71d12d5acf91a742bbf4 SHA-256: 44f2152851b954c664e7d65bd76f83ad389ee17a7c82300034645e7414f42205
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates XOR-encoded strings, and the medium heuristic indicates the use of VirtualAlloc, suggesting code execution. The VBA project contains macros, but no executable statements were found directly. The presence of XOR-encoded strings and the VirtualAlloc API call strongly suggest that the macro is designed to deobfuscate and execute a payload, likely to download and run a second-stage malicious file. The document body is heavily corrupted and unreadable.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.