Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b3f0db8a0f336e21…

MALICIOUS

Office (OLE) / .XLS

179.2 KB Authoring application: Microsoft Excel
MD5: 2fc1016a131f213b9db814ba99adcb27 SHA-1: d6883e65bc470797f95902c1f734f441f738bc0c SHA-256: b3f0db8a0f336e21934f97e3dbe6d056793c49d8cf019cb7ab3e258e4cdca13e
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Excel file identified as malicious. Static analysis revealed the presence of XOR-encoded strings, a common obfuscation technique used in malicious VBA macros. Although the VBA macro source is present, it contains no executable statements, suggesting the malicious logic might be embedded elsewhere or the heuristic is misinterpreting the content. The primary indicator of maliciousness is the critical heuristic firing for XOR-encoded strings.

Heuristics 2

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.