Win.Downloader.97183-1 Office (OLE) / .XLS malware analysis — malicious · fc86762a59d05e7d

MALICIOUS

Office (OLE) / .XLS

132.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 06917c2bb21745df4532d95ba88430dc SHA-1: be7f3c8d7c5c834f9b48fe6bc0d3f56cf2d96c7b SHA-256: fc86762a59d05e7d2e39ed39809ccf373156d5229f960b2f56491cb3e8cb7120

440 Risk Score

Malware Insights

Win.Downloader.97183-1 · confidence 95%

MITRE ATT&CK

T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.001 PowerShell

The file is identified as a malicious Excel spreadsheet by ClamAV (Win.Downloader.97183-1). It contains an embedded PE executable and references APIs commonly used for process creation and dynamic library loading, such as CreateProcess, VirtualAlloc, and LoadLibrary. The presence of suspicious cmd.exe invocation and a visible LOLBin command execution instruction suggests it attempts to execute downloaded payloads. The embedded executable and suspicious URLs indicate a downloader functionality, likely aiming to fetch and execute further malicious content.

Heuristics 11

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Downloader.97183-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Downloader.97183-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 135,703 bytes but its declared streams total only 24,565 bytes — 111,138 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://%s:%d/net/B%s/search%s.php
- http://%s:%d/net/B%s/serinfo
- http://about:blank

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000fc13.exe` `958ace3b3b57b5be1205c28dfc886b7235726f95105159f2d3aedf6833cd8e3a`	embedded-pe	Office MZ+PE at offset 0xFC13	71172 bytes
Detection ClamAV: Win.Downloader.97183-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.