Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 882463ed3ebc8d0c…

MALICIOUS

Office (OLE) / .XLS

957.9 KB
MD5: 8b115ea5bf6fd4b53a0c328ec92fa161 SHA-1: d9054eb29560adc2b515f3f1385b709a27db9ab7 SHA-256: 882463ed3ebc8d0caa6575f78ba40dee0676b463af3c054521606f856e3f2430
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is an XLS document with a large slack space anomaly, indicating potential obfuscation or embedded content. A heuristic firing for Windows Script Host (SC_STR_WSCRIPT) suggests script execution capabilities. The document body contains financial data, but the presence of an embedded URL pointing to a government-like portal (ecpic.gov) is highly suspicious. This URL is likely used to host and deliver a malicious payload, possibly by masquerading as a legitimate service to trick the user into downloading it.

Heuristics 3

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 980,894 bytes but its declared streams total only 5,996 bytes — 974,898 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://doc.ecpic.gov/PortalDefault.aspx?tabindex=2&tabid=2&action=intwiz&sec_id=a6251d86-13f1-4283-824c-b201c45d9a97
    • http://schemas.microsoft.com/intellisense/ie5
    • https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0
    • http://www.macromedia.com/go/getflashplayer

Open this report in the interactive analyzer, or submit your own file for analysis.