Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 7f7b571ed4a5de66…

MALICIOUS

Office (OLE) / .XLS

784.0 KB Authoring application: Microsoft Excel
MD5: 019ef4f2ab1824ae85c345a656680f7b SHA-1: 793088382533410111f5b4945af92c39614b5bbd SHA-256: 7f7b571ed4a5de665f1de34706db7182c4d0687eeb1c2ceb0e1baf2e207fa98a
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample exhibits high-confidence heuristics for PEB access and API hash resolution, indicating attempts to evade detection. The presence of XOR-encoded strings with a key of 0xFF suggests obfuscation techniques are employed to hide malicious functionality. While no executable VBA code was found, the overall pattern points to a downloader attempting to fetch and execute a second-stage payload.

Heuristics 6

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'msvcrt.dll', 'KERNEL32.DLL', 'iphlpapi.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA'
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.