Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 655eab7018ba94d9…

MALICIOUS

Office (OLE) / .XLS

179.2 KB Authoring application: Microsoft Excel
MD5: 81d3e8616ff2dc819703129472b5b1e5 SHA-1: ed378521aef554fdae17338d2b497a3c0fab0db0 SHA-256: 655eab7018ba94d9ada910362c1337efff721a386e5aafb2872cea92a56735f5
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an Excel spreadsheet containing VBA macros. Static analysis detected XOR-encoded strings, a common obfuscation technique used by malware. Although the VBA code itself is minimal and appears to contain no executable statements, the presence of obfuscated strings suggests an intent to hide malicious functionality, likely related to downloading or executing a secondary payload. The XOR key 0xDE was identified.

Heuristics 2

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.