Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bd509f4b4425d226…

MALICIOUS

Office (OLE) / .XLS

1.03 MB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 738b307f892bcca4e40c8b9c78da52e1 SHA-1: 46d0edc0a11ed88c0a39bc2118b3c4e071413a4b SHA-256: bd509f4b4425d226e3cb837d43e26564166ddfa37d934da2707289d2d8aa1835
220 Risk Score

Malware Insights

MITRE ATT&CK
T1218 System Binary Proxy Execution T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample exhibits characteristics of an advance-fee scam, using language related to lotteries and parcel delivery to deceive the user. High-severity heuristics indicate the use of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of malicious code, likely to download and run a second-stage payload. No scripts were extracted, but the presence of embedded URLs and the advance-fee scam lure strongly indicate a malicious intent.

Heuristics 7

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,082,304 bytes but its declared streams total only 24,565 bytes — 1,057,739 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dailynewschicago.com/
    • http://blogs.suburbanchicagonews.com/green/julie-todd/2009/01/
    • http://www.lesliemann.net
    • http://www.nnntv.org/inside.php?page=contact_form&to=thenews
    • http://blogs.southtownstar.com/homerglen/
    • http://blogs.southtownstar.com/oaklawn/
    • http://www.chicagohomemag.com/Chicago-Home/Design-Dose/
    • http://www.theseminal.com
    • http://featuresblogs.chicagotribune.com/entertainment_popmachine/
    • http://wgnradio.com/weblog/steveandjohnnie/index.html
    • http://www.runningnewsguy.abc7chicago.com
    • http://newsblogs.chicagotribune.com/sports_globetrotting/
    • http://blogs.chicagoreader.com/chicagoland/
    • http://www.straightdope.com/
    • http://newsblogs.chicagotribune.com/religion_theseeker/

Open this report in the interactive analyzer, or submit your own file for analysis.