Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7d2135ec912676e1…

MALICIOUS

Office (OLE) / .XLS

221.4 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 2ea9dbe4109483b77f3b6db49d2182ab SHA-1: 69ffc65fdabf0536540a4914883c2c774bc93081 SHA-256: 7d2135ec912676e123fb025903bfa28be5efe30e431758c400aec1b0042183b8
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.005 Visual Basic T1071.001 Web Protocols

The sample is an OLE Excel file containing an embedded SWF (Flash) object, which is a high-risk indicator for exploitation. Heuristics indicate the use of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the execution of arbitrary code. The document body contains obfuscated text and references to 'about:blank' and 'res://srvwiz.dll/default.hta', which are often used in exploit delivery chains. The embedded URLs, while one is marked benign, suggest a potential download or redirection mechanism. The presence of VBA macros, though not executable, is noted.

Heuristics 8

  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 226,752 bytes but its declared streams total only 42,689 bytes — 184,063 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.juno.dti.ne.jp/~logicp/index.html
    • http://investor.msn.com/external/excel/quotes.asp?SYMBOL=[

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
73fe284b1e885bd0405ecb421b1224021163ce4aa3bca30e5a2deb64f9916b3c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.