Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 95614769d353a6d7…

MALICIOUS

Office (OLE) / .XLS

95.1 KB Authoring application: Microsoft Excel
MD5: 5f46f8caeae0db6fd3fc285e512e1eab SHA-1: e9e7a0a83b0b570f3cd3eed517377f6965dec64f SHA-256: 95614769d353a6d73dd9e57d1a49d1520d7ce78a0a942dcb0c56e668049f34db
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1027 Obfuscated Files or Information

The sample is an Excel file containing VBA macros. Heuristics indicate the presence of XOR-encoded strings and a call to VirtualAlloc, suggesting the macro is designed to deobfuscate and execute shellcode. The VBA project itself contains no executable statements, implying the malicious logic is likely embedded in a way that bypasses simple static analysis. The primary function appears to be downloading and executing a second-stage payload.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.