Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 af0b40a32de7a039…

MALICIOUS

Office (OLE) / .XLS

253.1 KB
MD5: fe23c7d832d81c021250d752c58f0002 SHA-1: c633be95613ff04d4c9b6bc72903706ac55655ef SHA-256: af0b40a32de7a0398482b0623c456bbc08c5404ffcb3b6df93a21012f9912c8b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. A critical heuristic firing for XOR-encoded strings suggests that malicious code is present and likely hidden. The reference to CreateProcess API further supports the possibility of the execution of additional payloads. While no specific document body content was readable, the presence of unknown URLs suggests potential command and control or download locations. The overall indicators point towards a malicious document designed to execute further stages of an attack.

Heuristics 4

  • XOR-encoded strings (key 0x98) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x98: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA'
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 259,210 bytes but its declared streams total only 56,346 bytes — 202,864 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cybafit.com/phpBB2/index.php
    • http://www.dietasia.com/inforoom/interactive/calculate.asp
    • http://www.esdlife.com/health/chi/life/toolkit/toolkit003.asp
    • http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.geocities.com/bread106/

Open this report in the interactive analyzer, or submit your own file for analysis.