Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ad813ea27374bddf…

MALICIOUS

Office (OLE) / .XLS

183.6 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 6e78bcb02ba1e12361f0e334d784390b SHA-1: 61ec685e81050a9f97c4e3580b262d02d119a34c SHA-256: ad813ea27374bddf406487c4111173f68230e1758e12bfcce751249eb5ee51c0
408 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document with a significant slack space anomaly and contains an embedded PE executable and an embedded SWF file. Heuristics indicate references to process creation and memory allocation APIs, strongly suggesting the embedded executable is intended to be run. The presence of a visible command execution instruction further supports this. The document itself does not contain user-facing content beyond sheet names, indicating its primary purpose is to deliver the embedded malicious payload.

Heuristics 12

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 188,023 bytes but its declared streams total only 18,407 bytes — 169,616 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a4437065eec84f88ff355b97d8611ccfb25f1b88dcdb05d0b8745564ec078a06		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1074 bytes
embedded_office_00005c00.exe
d1f84009505af2b833106c7bc31fac0cfd90a307f791e4ec490760770dac8e99		 embedded-pe Office MZ+PE at offset 0x5C00 164471 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.