Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bef59b362c497bee…

MALICIOUS

Office (OLE)

47.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: bc24bd2f310e06150a2ee336a9446f4b SHA-1: f0008dd0f13661cd7752c50fa4f5bd664b49503e SHA-256: bef59b362c497bee99355a6b65eadd32ebc62b3b8767138ae0a497aa6ee32f22
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is an Excel document with a critical heuristic firing for XOR-encoded strings, indicating obfuscation. Although the VBA project contains no executable statements, an embedded URL was found. The document body is heavily obfuscated and unreadable, suggesting an attempt to hide malicious content. The presence of XOR-encoded strings and an embedded URL points towards a downloader or a phishing lure.

Heuristics 3

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://investor.msn.com/external/excel/quotes.asp?SYMBOL=[

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
73fe284b1e885bd0405ecb421b1224021163ce4aa3bca30e5a2deb64f9916b3c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.