Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ca47e2e5fe9ec77e…

MALICIOUS

Office (OLE) / .XLS

4.68 MB Created: 2008-12-12 20:41:00
MD5: 2285df9ef212aaa28a110671e3740a10 SHA-1: df3c28d445a56fd645532498baa33814ba58b270 SHA-256: ca47e2e5fe9ec77eb035a567dbdced73c26eb91e024803989e630f6d4e0f6c79
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1137.001 Office Application Native API T1559.001 Component Object Model Hijacking

The sample is an Office XLS file containing VBA macros and an embedded PE executable. The presence of VBA macros and references to WinExec and VirtualAlloc APIs indicate malicious scripting activity. The embedded executable is the primary payload, likely executed by the macro to compromise the user's system.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
16f38f0a92a74b76fceb937bb53268e23900ebb890c205ef8dd9ed9f465ea4b5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 4413 bytes
embedded_office_00003604.exe
cedc7d7b57514d5d6192335897a0c86130080e70bd8113f93e5b2962ad28721f		 embedded-pe Office MZ+PE at offset 0x3604 4890620 bytes
ole10native_00.bin
4d8d2101fae65772625fdbb320a31e07458b1ff3e4351c545dc28322f164de8b		 ole-package OLE Ole10Native stream: MBD001E1A41/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.