Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fad6f303109fca50…

MALICIOUS

Office (OLE) / .XLS

67.5 KB Created: 2023-06-19 16:10:00 Authoring application: Microsoft Excel First seen: 2023-07-14
MD5: 488301d44cd53bd9dbf2f2affefde3a1 SHA-1: 17ae265773e1cc0d564891ddd954c71d6914dead SHA-256: fad6f303109fca5090e9b9608cfd6c5d70de9fca180191d2f4a0c040e4814b14
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1218.011 System Binary Proxy Execution: Rundll32

The sample contains a high-severity heuristic firing for PowerShell execution and another for a LOLBin token sequence, indicating an attempt to run commands via legitimate system binaries. The embedded URL is confirmed benign, but the PowerShell command itself is suspicious and likely intended to download and execute a secondary payload. The document body is heavily obfuscated and unreadable.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ayincil.github.io/ytqi/dfbtq.png\
    • https://ayincil.github.io/ytqi/dfbtq.png

Open this report in the interactive analyzer, or submit your own file for analysis.