Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 98c0ba56bfadbf19…

MALICIOUS

Office (OLE) / .XLS

178.5 KB
MD5: 79d67fcacefe2325ea593488b33ca988 SHA-1: 43e2cbe98b1678de0a35ebd6ffe63900e54d7734 SHA-256: 98c0ba56bfadbf19eb61e5d1f2a1c0345e2cb6c38d069bce3a1f5df70423f5bf
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The sample exhibits high-risk heuristics indicating it leverages ShellExecute, LoadLibrary, and GetProcAddress APIs, suggesting dynamic code loading or execution. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic is particularly concerning, as it implies the document instructs the user to copy and paste commands into a shell, a common social engineering tactic to bypass direct execution restrictions. The OLE slack anomaly further suggests the presence of hidden or packed code. While no specific malware family is identified, the techniques point towards a downloader or dropper.

Heuristics 6

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 182,784 bytes but its declared streams total only 56,346 bytes — 126,438 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.nirsoft.net/

Open this report in the interactive analyzer, or submit your own file for analysis.