Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 46ca4e524386a298…

MALICIOUS

Office (OLE) / .XLSX

18.7 KB First seen: 2022-08-18
MD5: a9dbe644d90e7da3fc936e39d4aed24e SHA-1: 86385702a668efb25b81931738cae2b141cd8bb0 SHA-256: 46ca4e524386a298ffbf2409a86b590cf5e45a93e26b7fe4f8138a03042d0bed
100 Risk Score

Malware Insights

MITRE ATT&CK
T1564.003 Obfuscated Files or Information: Hidden Files

The sample is an encrypted and malformed Office document, which is a common technique to conceal malicious payloads. The encryption and structural corruption prevent further static analysis of the document's content or embedded scripts. This suggests the file's primary purpose is to evade detection and analysis.

Heuristics 3

  • Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED
    Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.