Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4f890f2bff117669…

MALICIOUS

Office (OLE) / .XLS

120.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 2e799777363fea1d76878250444b73e4 SHA-1: 3229982d2e85ce189c4a675e2b64c2601f8476d3 SHA-256: 4f890f2bff1176694d566a6584246995d3a23a5916bb91149c763f5767c4382d
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample exhibits multiple high-severity heuristic firings, including references to WinExec, LoadLibrary, and GetProcAddress APIs, along with XOR-encoded strings (key 0x02). These indicators strongly suggest the presence of malicious code designed to load and execute further payloads. The large slack space in the OLE structure is also anomalous. While no specific family is identified, the techniques point towards a downloader or loader.

Heuristics 7

  • XOR-encoded strings (key 0x02) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x02: 'kernel32.dll', 'wininet.dll', 'VirtualAlloc', 'VirtualAllocEx', 'CreateProcessA', 'InternetOpenA', 'InternetOpenUrlA', 'WriteProcessMemory'
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 122,880 bytes but its declared streams total only 24,565 bytes — 98,315 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wordpptxls.files.wordpress.com/2010/05/0423.docx
    • http://wordpptxls.files.wordpress.com/2010/05/0424.docx
    • http://wordpptxls.files.wordpress.com/2010/05/0425.docx

Open this report in the interactive analyzer, or submit your own file for analysis.