Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f04a5d70c9a07b1f…

MALICIOUS

Office (OLE) / .XLS

74.7 KB
MD5: d32e0ed4025ea859f239f407019f704d SHA-1: dcab4c4375d3d1c89783d9227f28eb259eba22c7 SHA-256: f04a5d70c9a07b1f81dca072e5e253ce302296d2408d92a563f399dc81a184c8
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1027 Obfuscated Files or Information

The sample is an OLE file that failed VBA extraction due to an unsupported format. However, heuristics indicate the presence of XOR-encoded strings and a reference to VirtualAlloc, suggesting malicious code execution. The obfuscated nature and inability to extract VBA macros point towards an attempt to hide malicious functionality, likely a downloader. Without extractable VBA, the exact payload and delivery mechanism remain unclear.

Heuristics 3

  • XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.