Office (OLE) / .XLS malware analysis — malicious · e0e1633541331865

MALICIOUS

Office (OLE) / .XLS

179.2 KB Authoring application: Microsoft Excel

MD5: 39f3785923422251dbf70bf2a7385a41 SHA-1: 59f908ee1a45af38b3be0fc46ece5d55396d6dc2 SHA-256: e0e16335413318659cfc81a0cc3024d6f154544e800cbd0cb0d1fca607c03b85

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Excel spreadsheet (OLE) with VBA macros. A critical heuristic firing indicates XOR-encoded strings with a key of 0xDE, suggesting obfuscation to hide malicious content. Although the VBA project contains no executable statements directly, the presence of encoded strings points towards a downloader or dropper functionality. The document body is heavily corrupted and unreadable, providing no further context. The primary IOC is the XOR key used for obfuscation.

Heuristics 2

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	606 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.