Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 713631583f9fa600…

MALICIOUS

Office (OLE) / .XLS

607.0 KB Created: 2025-08-26 20:58:06 Authoring application: Microsoft Excel
MD5: fb8e598a053a551573f8e0da818a0331 SHA-1: 3c0cc0412d4210342f3fda30f1fa6e8faa0e20c2 SHA-256: 713631583f9fa6009da7ac91f5cedec41b057bc1a3d5819a8081517e1844bb60
468 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel file containing a Workbook_Open VBA macro that is designed to execute automatically when the workbook is opened. This macro performs several actions including copying the workbook, creating directories, and most critically, extracting and executing an embedded PE executable. The presence of the embedded executable and the auto-execution macro strongly indicate a malicious intent to deliver a secondary payload.

Heuristics 12

  • XOR-encoded strings (key 0x80) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x80: 'LoadLibraryW'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via GS segment (x64) high SC_PEB_ACCESS_X64
    PEB access via GS segment (x64)
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a659cbc2291640806b75e278cf14ec40715cba56f9fd0435d548d10d5a01f2ab		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 68408 bytes
embedded_office_000038b9.exe
f9f7c1b617afa3505c8cb8e57fd368090d48331245a2d69bff4c95ba9562f365		 embedded-pe Office MZ+PE at offset 0x38B9 607047 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.