Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d85f47c9611e9073…

MALICIOUS

Office (OLE) / .XLS

130.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 3362d527d7eb69c5ecf052bdab94981c SHA-1: 5d0208b1c9674267106c9fcf0d1a1fc52cbad409 SHA-256: d85f47c9611e9073b375fd618916fbc44d559731257b38abe5145f49eb85d559
440 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded PE executable, flagged by critical heuristics. It also references `cmd.exe` with an execution flag and `CreateProcess`, `VirtualAlloc`, and `LoadLibrary` APIs, indicating it's designed to execute code. The embedded executable and suspicious URLs suggest a downloader or droppper functionality, aiming to retrieve and run further malicious payloads.

Heuristics 11

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Downloader.97183-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.97183-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 133,120 bytes but its declared streams total only 24,565 bytes — 108,555 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%s:%d/net/B%s/search%s.php
    • http://%s:%d/net/B%s/serinfo
    • http://about:blank

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000fbfc.exe
2ff24d698c7113dc3d42c830fb0d9c3b5faa7abe29d2ee7c98fc7d86330b7ed9		 embedded-pe Office MZ+PE at offset 0xFBFC 68612 bytes
Detection
ClamAV: Win.Downloader.97183-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.