Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c6e3f76da3dce26d…

MALICIOUS

Office (OLE) / .XLS

204.9 KB Authoring application: Microsoft Excel
MD5: af09603ce1ba81bff6f405146440c6d8 SHA-1: 2d1522465bdf50fe08dbae606b01c1ef9329766e SHA-256: c6e3f76da3dce26d1708d8692a81706f37afd3edc31d1560cd8edb807ea60f97
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols: Web Protocols T1105 Ingress Tool Transfer

The sample exhibits high-confidence heuristic firings related to PEB access and API hash resolution, indicating sophisticated evasion techniques. It references LoadLibraryA and GetProcAddress, suggesting dynamic loading of malicious code. Although no VBA macros were found to contain executable statements, the presence of embedded URLs and the file's malicious verdict point towards a downloader or droppper functionality. The IOCs listed are core Windows DLLs and registry keys commonly abused by malware.

Heuristics 6

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.