Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b159b8f810ae707d…

MALICIOUS

Office (OLE) / .XLS

128.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 1be3acdd243bda91ae8135b9aa74b87c SHA-1: b545443cfaeaa6f0febf727cd5ef0c12ea8a9ab0 SHA-256: b159b8f810ae707d0af9b93a14bd9be2664882ee7c306eac98764b2d7ef7ee48
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an OLE document containing an embedded PE executable and references to URLDownloadToFile, CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress APIs. This indicates the document is designed to download and execute a secondary payload. The embedded executable and multiple unknown reputation URLs are strong indicators of malicious intent.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 131,040 bytes but its declared streams total only 42,689 bytes — 88,351 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://12.184.115.132/images/fx0810.rar
    • http://208.15.24.71/aspnet_client/fx0810.rar
    • http://207.224.111.213/img/fx0810.rar
    • http://12.200.226.186/images/dl0803.rar
    • http://88.2.139.241/images/dl0803.rar
    • http://12.184.115.132/images/dl0803.rar
    • http://investor.msn.com/external/excel/quotes.asp?SYMBOL=[

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
73fe284b1e885bd0405ecb421b1224021163ce4aa3bca30e5a2deb64f9916b3c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 684 bytes
embedded_office_000140a0.exe
59d2c98db920116105de4a22c036afb38848e305a98519ff5f15689709e7e4fb		 embedded-pe Office MZ+PE at offset 0x140A0 48960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.