Office (OLE) / .XLS malware analysis — malicious · 7b3fd05531fd5138

MALICIOUS

Office (OLE) / .XLS

231.8 KB Authoring application: Microsoft Excel

MD5: 88af8165ad381f48d92c5c1139ad259a SHA-1: 8ae02971300ab62ff82c4a4833657aacd5c02df4 SHA-256: 7b3fd05531fd51387f0134903c47ace6b10c4efe5f0d8cac0ca4ce2aa8c2abc4

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1027 Obfuscated Files or Information

The sample is an Excel file with a verdict of malicious. Static analysis detected XOR-encoded strings and a reference to the VirtualAlloc API, suggesting code execution and obfuscation techniques. The VBA project contains macros, but they are noted as having no executable statements, which is unusual for a malicious macro. The document body is heavily corrupted and unreadable. Given the limited readable content and the nature of the heuristics, the sample likely attempts to download and execute a second-stage payload, but the exact mechanism is obscured.

Heuristics 3

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.