Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e458eaf61ceb4c04…

MALICIOUS

Office (OLE) / .XLS

677.5 KB
MD5: 4d060c1de64370917a01a99d0e1eb529 SHA-1: 5b50c47ae931ec40f3d9c389aef1b9f5b1cdf928 SHA-256: e458eaf61ceb4c048b9bddfa6cb587ac0171b702716c0fce8a77137ce030c5c2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information

The presence of LoadLibrary and GetProcAddress API calls, along with XOR-encoded strings (key 0x1C), indicates the sample is likely attempting to deobfuscate and load malicious code. The large slack space in the OLE file structure is also a common characteristic of packed or obfuscated malware. While no specific URLs or executable scripts were directly extracted, the heuristics strongly suggest a downloader or dropper functionality.

Heuristics 5

  • XOR-encoded strings (key 0x1C) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x1C: 'ADVAPI32.DLL'
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 693,760 bytes but its declared streams total only 56,346 bytes — 637,414 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.