Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 82938b680bdaeddb…

MALICIOUS

Office (OLE) / .XLS

597.0 KB Created: 2023-04-13 08:31:03 Authoring application: Microsoft Excel
MD5: a02bbd267d98c2c0c480e8c2ab9459ef SHA-1: 24e6f14b18ca1f5d544bf537de099dfe13be4a56 SHA-256: 82938b680bdaeddb0585cac072868e68412b830dfdc49a45e833f38631855e67
428 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Files or Information T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample is an Excel file containing VBA macros, including a Workbook_Open macro that triggers execution. It also contains an embedded PE executable. The VBA code likely uses XOR encoding (key 0x03) and calls CreateProcess and LoadLibrary APIs to execute the embedded file. The document body appears to be a form for psychological assistance requests, suggesting a social engineering lure.

Heuristics 11

  • XOR-encoded strings (key 0x03) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x03: 'NtAllocateVirtualMemory'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
0994c13e67005c73a656e612a78372356f71a5f3b2dcc854b11af79da6ef194f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 25530 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_00004030.exe
1eff03ab2f3d20992879fcf7b15e57777dc3406a33342aa767d242fa293fb4f4		 embedded-pe Office MZ+PE at offset 0x4030 594896 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.