Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 924305d6e8f05f3a…

MALICIOUS

Office (OLE) / .XLS

656.7 KB
MD5: bcf97b31a1ca5a5b777a832ff76bb91f SHA-1: d32158e400ce957ca3a5188c86c21ce4f43b6ae5 SHA-256: 924305d6e8f05f3af0ee88addf5519c52b3f942956be93df2006ddb4c1cbb08c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The presence of embedded URLs, one of which is marked as unknown reputation, combined with a high severity heuristic for OLE slack anomaly and a reference to VirtualAlloc API, indicates a suspicious file. The slack anomaly suggests potential obfuscation or hidden data within the OLE structure. The unknown reputation URLs are likely used for payload delivery or command and control.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 672,449 bytes but its declared streams total only 56,346 bytes — 616,103 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.zone-archive.com
    • http://www.hentaikey.com/sys/members/signup.php?referal=7299
    • http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Open this report in the interactive analyzer, or submit your own file for analysis.