Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f4fa7fb87cc913c1…

MALICIOUS

Office (OLE) / .XLS

69.0 KB Created: 2022-09-29 11:53:37 Authoring application: Microsoft Excel First seen: 2022-09-30
MD5: 3bdc9839c6fb57aeeff9fd0897276b18 SHA-1: ecca4989b224d456cb129b438403e486ed989e27 SHA-256: f4fa7fb87cc913c17d129e83ae6b679143246f10298c5b906471d33f3e89a6f8
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample contains heuristics indicating the use of PowerShell and a command-line execution pattern that suggests downloading content. The embedded URL, although marked as benign, is likely part of the initial lure or staging. The primary function appears to be downloading and executing a secondary payload via PowerShell.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://64368585.github.io/53ce/jygou.png\
    • https://64368585.github.io/53ce/jygou.png

Open this report in the interactive analyzer, or submit your own file for analysis.