Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ce2c475461d57f22…

MALICIOUS

Office (OLE) / .XLS

781.5 KB Created: 2025-08-04 06:33:36
MD5: 81159738f7ffb50d5bc3c75e5e0ac546 SHA-1: 1bf3bf9e27fcc89ae7d38dafe5d71d7d9dfd4286 SHA-256: ce2c475461d57f222a6aa22f49420f804a43c2eb29abf8553457a7d30f7cb024
588 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is an Excel spreadsheet containing a price list, which serves as a lure. It contains VBA macros that automatically execute upon opening, specifically a Workbook_Open macro that calls the 'shell' function. This macro is designed to drop and execute an embedded PE executable (embedded_office_000038bd.exe), as indicated by the 'OLE_EMBEDDED_EXE' and 'EXTRACTED_FILE_CLAMAV' heuristics. The embedded executable is detected by ClamAV as Win.Loader.Covenant-10058832-0, suggesting it's a loader for further malicious activity.

Heuristics 14

  • XOR-encoded strings (key 0x75) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x75: 'LoadLibraryW'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Doc.Malware.Macros-10058718-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Macros-10058718-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • PEB access via GS segment (x64) high SC_PEB_ACCESS_X64
    PEB access via GS segment (x64)
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9f432fc77d2da8c384dd0014fea97e8a38f68617c902061caa00af0c8b574504		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 23242 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_000038bd.exe
4f59a15ec8954971503d0a14a31d849c1930096c31f53c8b01dee45659cdf324		 embedded-pe Office MZ+PE at offset 0x38BD 785731 bytes
Detection
ClamAV: Win.Loader.Covenant-10058832-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.