Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b6df4b72fecd62aa…

MALICIOUS

Office (OLE) / .XLS

87.2 KB Authoring application: Microsoft Excel
MD5: 4c8a7a9e6484329aa880eb7e490e39db SHA-1: 817add8ea7600095a4827b826ea4ea636a0b8ce5 SHA-256: b6df4b72fecd62aa02ac03b3aa20614e5da92fa7445f654a185236e0735e7632
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is an Excel file with a verdict of malicious. Static analysis detected the presence of VBA macros and a critical heuristic firing for XOR-encoded strings, suggesting obfuscated malicious code. The reference to VirtualAlloc API further indicates potential code execution. Although no specific URLs or executable scripts were extracted, the combination of VBA and XOR encoding strongly implies an attempt to download and execute a second-stage payload. The XOR key 0xDE was identified.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.