Xls.Downloader.94c25b356b5a6cac-9978798-0 — Office (OLE) / .XLSX malware analysis

Static analysis result for SHA-256 758ffe560667c9d4…

MALICIOUS

Office (OLE) / .XLSX

48.4 KB First seen: 2022-02-22
MD5: 6e86696579372b72de819058e4ad0290 SHA-1: 21224a9d92277de131de71eb7c4dbce6541ced63 SHA-256: 758ffe560667c9d4fe8189589ee062a0f4a50c9955526d95826e686420810d11
160 Risk Score

Malware Insights

Xls.Downloader.94c25b356b5a6cac-9978798-0 · confidence 85%

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as a malicious Excel downloader by ClamAV. It is password-encrypted, preventing static analysis of its content, but the encryption and malformed structure suggest an attempt to obfuscate malicious behavior. The detection name implies it is designed to download additional malware.

Heuristics 4

  • Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED
    Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
  • ClamAV: Xls.Downloader.94c25b356b5a6cac-9978798-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.94c25b356b5a6cac-9978798-0
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.