Office (OLE) / .XLS malware analysis — malicious · df7b3bc1fbe787b0

MALICIOUS

Office (OLE) / .XLS

179.2 KB Authoring application: Microsoft Excel

MD5: 913742b430fe8a03143a5ded24fa8cb7 SHA-1: 770fd293e1d757c5425f5e9839d6fcc41b0e3f81 SHA-256: df7b3bc1fbe787b008ea2b77f13dacaba4667106833cb9127cdcb68dc3184489

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1027 Obfuscated Files or Information

The critical heuristic firing for XOR-encoded strings (key 0xDE) indicates obfuscation, likely to hide malicious code within the VBA macros. The reference to VirtualAlloc API suggests memory manipulation for payload execution. Although no specific URLs or hashes were extracted, the presence of obfuscated VBA macros strongly suggests a downloader or droppper functionality, aiming to fetch and execute a second-stage payload.

Heuristics 3

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.