Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9794365d34432d28…

MALICIOUS

Office (OLE) / .XLS

716.0 KB Authoring application: Microsoft Excel
MD5: 88b07b1504c749cadd1bde190a6d2e5e SHA-1: 7f94a0c26d27cb9377576fe309b1d373e209535e SHA-256: 9794365d34432d289974dd5041073aee908a32b9c809d1c4d07108a15a3e389c
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file is an Excel spreadsheet with a high-risk score and a significant amount of slack space, indicating potential obfuscation. While the VBA project itself contains no executable statements, the presence of embedded URLs and the 'SC_PEB_ACCESS' heuristic suggest malicious intent. The 'OLE_VBA_MACROS' heuristic firing with 'no executable statements' is unusual but does not negate the other indicators. The primary attack vector appears to be the embedded URLs, which are likely used to download and execute a secondary payload. Further analysis of the VBA macros is needed to confirm the exact execution flow.

Heuristics 4

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 733,184 bytes but its declared streams total only 240,528 bytes — 492,656 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.