Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b7cd5a96fee50407…

MALICIOUS

Office (OLE) / .XLS

178.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: cec4ffeccc2f06eb69116c2392f8cefc SHA-1: 3a295765ee486e3b68d75d58448775253fc98ad3 SHA-256: b7cd5a96fee504072769e9e0aa9e15f81ae66f45c46df24144fdb33fbf974741
360 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation. Critical heuristics indicate the presence of an embedded PE executable and an embedded SWF file. References to WinExec, CreateProcess, ShellExecute, LoadLibrary, and GetProcAddress APIs suggest dynamic code execution capabilities. The embedded executable and SWF file are likely the primary malicious components, intended to be dropped and executed by the OLE container.

Heuristics 9

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 182,272 bytes but its declared streams total only 21,308 bytes — 160,964 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.neave.com/
    • http://www.cyberiapc.com/cgi-bin/pacmanscores.pl

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00008868.exe
a8f020762ff4c8d91b472d98756f3653aab9cf539bdae6e2a1c9c33092f064f3		 embedded-pe Office MZ+PE at offset 0x8868 147352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.