Office (OLE) / .XLS malware analysis — malicious · cb50dc3b0c514db4

MALICIOUS

Office (OLE) / .XLS

91.2 KB Authoring application: Microsoft Excel

MD5: 92ef1c651143e9563482cdd850818bda SHA-1: 3fa2212500ab0aca195050f04a4e35bcba693428 SHA-256: cb50dc3b0c514db483c1a3c92e53cb7e94845c7fdf793741b8e18263e5cf77e1

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel file with VBA macros. The 'SC_XOR_ENCODED' heuristic indicates that strings within the macro are obfuscated using XOR, and 'SC_STR_VIRTUALALLOC' suggests the use of memory allocation APIs, common for executing shellcode. Although the VBA macro source is minimal and lacks executable statements according to the 'OLE_VBA_MACROS' heuristic, the presence of XOR-encoded strings and VirtualAlloc API calls strongly suggests an attempt to download and execute a second-stage payload. The document body is heavily corrupted and unreadable, providing no contextual clues.

Heuristics 3

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.