Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b7ba0154a8566813…

MALICIOUS

Office (OLE) / .XLS

207.5 KB
MD5: 6dc2df29464aa0686f74d6760ca60f70 SHA-1: 1184d78de8d404f8b4b5bb3dd7ba56f210c52b14 SHA-256: b7ba0154a856681358cacb4ef24851dbd50b847f42508c5c4a72592927203249
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1218 System Binary Proxy Execution

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics firing for LoadLibrary and GetProcAddress strongly suggest the document is designed to dynamically load and execute code. While the embedded URLs are confirmed benign, the overall structure and API calls point towards a malicious downloader or dropper.

Heuristics 4

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 212,480 bytes but its declared streams total only 56,346 bytes — 156,134 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Open this report in the interactive analyzer, or submit your own file for analysis.