Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 eb097dfbe3b46945…

MALICIOUS

Office (OLE) / .XLS

104.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: b3a428da6d9b839bb36b2e07d05742a9 SHA-1: 0632c65a44adaf9ecfc57d9c862da5b8e288b2d6 SHA-256: eb097dfbe3b46945fdd822e317e725997b993cb14e51001d47076d59ad581980
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample exhibits OLE slack space anomalies and references to Windows APIs like VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used by malware to load and execute code. The presence of numerous embedded URLs, although currently having an unknown reputation, suggests a potential delivery mechanism for malicious payloads. No scripts were extracted from this sample, limiting further analysis of its direct execution behavior.

Heuristics 5

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 107,031 bytes but its declared streams total only 24,565 bytes — 82,466 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://search.minghui.org/mh/articles/2008/10/8/187303.html#08107223353-8
    • http://www.minghui.ca/mh/articles/2009/2/14/195442.html
    • http://www.minghui.org/mh/articles/2009/10/27/211192.html
    • http://www.minghui.org/mh/articles/2006/8/2/134559.html
    • http://www.minghui.org/mh/articles/2005/8/31/109497.html
    • http://www.minghui.org/mh/articles/2005/8/28/109331.html
    • http://www.minghui.org/mh/articles/2006/2/24/121541.html
    • http://minghui.org/mh/articles/2009/3/2/196404.html
    • http://www.minghui.org/mh/articles/2001/5/30/11628.html
    • http://www.minghui.org/mh/articles/2006/9/13/137716.html
    • http://search.minghui.org/mh/articles/2008/5/22/178934.html
    • http://minghui.org/mh/articles/2009/2/2/194700.html
    • http://www.minghui.org/mh/articles/2008/1/26/171110.html
    • http://minghui.org/mh/articles/2009/8/17/206645.html
    • http://www.minghui.org/mh/articles/2007/9/24/163211.html
    • http://www.minghui.ca/mh/articles/2008/12/6/191192.html
    • http://www.minghui.org/mh/articles/2007/5/24/155482.html
    • http://www.minghui.org/mh/articles/2006/5/29/129095.html
    • http://minghui.org/mh/articles/2009/11/15/212608.html
    • http://www.minghui.org/mh/articles/2009/10/24/211001.html
    • http://www.minghui.org/mh/articles/2008/4/10/176201.html
    • http://big5.minghui.org/mh/articles/2004/10/22/87318.html
    • http://minghui.org/mh/articles/2006/8/13/135453.html
    • http://minghui.org/mh/articles/2009/7/6/204041.html
    • http://www.minghui.org/mh/articles/2007/3/10/150488.html
    • http://minghui.org/mh/articles/2003/4/8/47917p.html
    • http://www.minghui.org/mh/articles/2005/10/31/113496.html
    • http://www.minghui.org/mh/articles/2005/7/20/106554.html
    • http://www.minghui.org/mh/articles/2009/1/1/192747.html
    • http://www.minghui.org/mh/articles/2007/10/19/164807.html
    • http://minghui.ca/mh/articles/2007/5/4/154108.html
    • http://www.minghui.org/mh/articles/2005/7/24/106872.html
    • http://www.minghui.org/mh/articles/2006/4/14/125227.html
    • http://www.minghui.org/mh/articles/2006/3/11/122574.html
    • http://minghui.org/mh/articles/2006/8/1/134500.html
    • http://www.dongtaiwang.com/dmirror/http/search.minghui.org/mh/articles/2005/11/29/115446.html
    • http://www.minghui.org/mh/articles/2007/7/9/158547.html
    • http://www.minghui.org/mh/articles/2004/12/30/92460.html
    • http://minghui.org/mh/articles/2009/2/23/195977.html
    • http://www.minghui.org/mh/articles/2000/9/12/2219.html
    • http://www.dongtaiwang.com/dmirror/http/search.minghui.org/mh/articles/2003/3/14/46455.html#chinanews0314-1
    • http://www.minghui.org/mh/articles/2008/10/31/188927.html
    • http://www.minghui.org/mh/articles/2006/10/2/139197.html
    • http://www.minghui.org/mh/articles/2006/2/15/120833.html
    • http://www.minghui.org/mh/articles/2004/1/8/64323.html
    • http://www.minghui.org/mh/articles/2004/5/1/73613.html
    • http://minghui.org/mh/articles/2009/11/15/212639.html#0911150934-1
    • http://minghui.org/mh/articles/2003/5/7/49799.html
    • http://www.minghui.ca/mh/articles/2007/8/28/161664.html
    • http://search.minghui.org/mh/articles/2005/3/1/96362.html
    +6 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.