MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an Excel spreadsheet containing XOR-encoded strings and a reference to the CreateProcess API, indicating malicious intent. The embedded VBA code likely attempts to download and execute a secondary payload from one of the extracted URLs. The large slack space in the OLE structure is also suspicious.
Heuristics 4
-
XOR-encoded strings (key 0x98) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x98: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA�', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA'
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 166,022 bytes but its declared streams total only 56,346 bytes — 109,676 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.airitibooks.com/detail.aspx?PublicationID=P20090302349
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227363
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090218009
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219192
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219193
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302343
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219183
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219194
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227156
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227158
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302268
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227013
- http://www.airitibooks.com/detail.aspx?PublicationID=P200903262072
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227016
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090828113
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227015
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227014
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227359
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227361
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227360
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227356
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227357
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219081
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227169
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302342
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302340
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090916030
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227483
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227482
- http://www.airitibooks.com/d
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302348
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302345
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302580
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302579
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219185
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302541
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219187
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090219019
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302341
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227140
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227139
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302109
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227137
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302529
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090218249
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302527
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302535
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302539
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090302281
- http://www.airitibooks.com/detail.aspx?PublicationID=P20090227352
+76 more URL(s)
Open this report in the interactive analyzer, or submit your own file for analysis.