Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 98c1791fcef0ea22…

MALICIOUS

Office (OLE) / .XLS

117.7 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 210eff888ab086aa0e58299fccc436fb SHA-1: 43591da0b223274c0d97c557c8f3a72b7415b3bc SHA-256: 98c1791fcef0ea22b47b7ffc6a416f35482c298050d94d4976f94010cb128c0e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1055 Process Injection

The file exhibits high-confidence heuristic firings for CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, indicating it likely attempts to execute external code. The OLE slack anomaly suggests obfuscation or padding within the file structure. While no specific script content was extracted, the API calls strongly suggest the file's purpose is to download and execute a second-stage payload, likely from one of the embedded URLs. The benign reputation of most URLs reduces confidence in a specific delivery chain, but the core malicious behavior is indicated by the API usage.

Heuristics 6

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 120,520 bytes but its declared streams total only 24,565 bytes — 95,955 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://ocsp.verisign.com01
    • https://www.verisign.com/rpa
    • http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
    • https://www.verisign.com/rpa0
    • http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0
    • https://www.verisign.com/cps0*
    • http://logo.verisign.com/vslogo.gif0
    • http://crl.verisign.com/pca3.crl0

Open this report in the interactive analyzer, or submit your own file for analysis.