Malicious Office (OLE) / .ORG — malware analysis report

Static analysis result for SHA-256 87eec4e4eace3e51…

MALICIOUS

Office (OLE) / .ORG

255.2 KB Authoring application: Microsoft Excel
MD5: 0e08d6a931d03ed81ce398a5f568f200 SHA-1: d14414f3ef777a934b2677c92040c9c8999badd7 SHA-256: 87eec4e4eace3e51120d36aa968b987775dfaebb4182677d43ba4b85026e8899
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The sample is an Office document with a VBA macro. Heuristics indicate the presence of XOR-encoded strings (key 0xDE) and a reference to VirtualAlloc, suggesting the macro is designed to deobfuscate and execute shellcode. The 'OLE_VBA_MACROS' heuristic firing with 'no executable statements' is likely a false positive or refers to the top-level module, as other heuristics strongly suggest malicious macro activity. The macro source is too short to contain executable code, indicating the malicious logic is likely embedded elsewhere or dynamically generated.

Heuristics 4

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x43 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.