Office (OLE) / .XLS malware analysis — malicious · 5a33c282aa11a30b

MALICIOUS

Office (OLE) / .XLS

141.1 KB Authoring application: Microsoft Excel

MD5: 2b63eb28fb16d9a18b19273145ee51cb SHA-1: 39f36b381bb2ac465c88e99492ba2f7e77a9aa08 SHA-256: 5a33c282aa11a30b2673d9e4dc582657e42022587e128d84d75a14d0f65c28e1

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1140 Deobfuscate or Obfuscate Malicious Code

The critical heuristic firing for XOR-encoded strings (key 0xDE) and the presence of a VBA macro indicate the sample is designed to execute obfuscated code. The reference to VirtualAlloc API suggests memory allocation for malicious code execution. While no direct download URL or second-stage payload was extracted, the overall pattern points to a macro-based downloader.

Heuristics 3

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.