Office (OLE) / .XLSX malware analysis — malicious · fbe47defb5bf718d

MALICIOUS

Office (OLE) / .XLSX

585.2 KB

MD5: 1103923de770bba0894e2c364e6ebbea SHA-1: 0c65266a85a68cfbb0897fd433fd9e87798b5112 SHA-256: fbe47defb5bf718d5daae15d8c29d6ba4c69bc63d637435ff75ef301fcab65ef

140 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking

The sample is an Office document that is password-encrypted, a common technique to evade static analysis. Heuristics indicate it's an exploit carrier, suggesting it's designed to deliver a secondary payload. The encryption and malformed structure further support its malicious intent.

Heuristics 4

Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED

Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE

Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE

OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML

OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.