Office (OLE) / .XLS malware analysis — malicious · 74fbabb34c570d7d

MALICIOUS

Office (OLE) / .XLS

102.1 KB Authoring application: Microsoft Excel

MD5: 14ff3f8c346a7a0ad39f127490ea8227 SHA-1: c5df7d4ffcb18d9df0e5dfdc06b13127c0bcb71e SHA-256: 74fbabb34c570d7dac96ba0f623de0b461e42c8f6194b5b6f00b1e359aadab68

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The file is an Excel spreadsheet identified as malicious. Static analysis revealed VBA macros, a PEB API-hash resolver, and XOR-encoded strings, indicating a likely attempt to obfuscate malicious code execution. The presence of VBA macros suggests the primary attack vector is likely T1059.005 (Visual Basic).

Heuristics 5

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'CreateProcessA', 'ExitProcess', 'ExitProcess', 'CreateFileA'
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.