Office (OLE) / .XLS malware analysis — malicious · 160a2ab3438b5103

MALICIOUS

Office (OLE) / .XLS

84.0 KB

MD5: d9a402e74e136dec4ee4f9ec8913f533 SHA-1: e0e4ddcd00c08a6e43c312ef5a1bc753ab8197e4 SHA-256: 160a2ab3438b5103776a88c487bb3b9402685e3019b42a9e7ae4bdfaac4e7d04

140 Risk Score

Malware Insights

The file is an OLE document exhibiting characteristics of malicious intent, including XOR-encoded strings and a large slack space anomaly. The document body contains text that mimics official application forms for permits, a common lure for social engineering. While no specific script was extracted, the presence of XOR-encoded strings suggests obfuscated code, likely Visual Basic for Applications (VBA), which is commonly used in Office documents to execute malicious actions.

Heuristics 3

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'RegOpenKeyExA'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.