Win.Downloader.97183-1 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 aa02cbb8bc2b9fc4…

MALICIOUS

Office (OLE) / .XLS

125.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 160a72c2b38624d98ef03ee70ea63e2e SHA-1: 1ad4687138c8883d30d39a6da682cd7f09e2bd52 SHA-256: aa02cbb8bc2b9fc4a5edb6fafa08d0d77c54802f892d06a2746af62fb0372651
440 Risk Score

Malware Insights

Win.Downloader.97183-1 · confidence 95%

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer T1059.001 PowerShell

The sample is an OLE document containing an embedded PE executable, flagged by ClamAV as Win.Downloader.97183-1. Heuristics indicate suspicious API calls such as CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, along with a cmd.exe invocation. The presence of an embedded executable and these API calls strongly suggests the file's purpose is to download and execute a second-stage payload. The embedded executable itself is a primary IOC.

Heuristics 11

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Downloader.97183-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.97183-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 128,023 bytes but its declared streams total only 24,565 bytes — 103,458 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%s:%d/net/B%s/search%s.php
    • http://%s:%d/net/B%s/serinfo
    • http://about:blank

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000fc13.exe
0a657338348acf7e0c82b1c98df17a0f3d398d8654bdacb803613da41855c397		 embedded-pe Office MZ+PE at offset 0xFC13 63492 bytes
Detection
ClamAV: Win.Downloader.97183-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.