Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 b2756cd316bc5cb3…

MALICIOUS

Office (OLE) / .XLSX

19.5 KB First seen: 2022-03-29
MD5: 6f404751820f14dc2a63da5fb6452e20 SHA-1: c5b3c7ec6850290b1fb66ceeb5030c5040ec9e4b SHA-256: b2756cd316bc5cb3e9e3a5c22fac41ca319709bea2a8bb3a6fcc8ed29a77b0b4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is an Office document that is password-encrypted and exhibits OLE FAT chain corruption. This suggests an attempt to obscure malicious content or bypass static analysis. While no specific payload or script was extracted due to the encryption and malformation, the overall characteristics point towards a malicious document designed for obfuscation.

Heuristics 3

  • Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED
    Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.