Office (OLE) / .XLS malware analysis — malicious · 19ffdf914bdff468

MALICIOUS

Office (OLE) / .XLS

126.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 5d309692bfdd94794d2e1b2de0caca90 SHA-1: 323563b9cd14813f5f10e6c03df2e9eaf5001c4c SHA-256: 19ffdf914bdff468ffe40abe4cc1eeb6751bb06c821ad6fe6a0dd892e47de996

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is a malicious Excel spreadsheet exhibiting a critical heuristic for XOR-encoded strings with a key of 0xFC. Additionally, it shows a high heuristic for OLE slack space anomaly, indicating a large portion of the file is unused and potentially contains hidden data. The presence of encoded strings suggests an attempt to conceal malicious code or data within the document. Without further script or body content, the exact payload delivery mechanism remains unclear, but the obfuscation points towards a downloader or dropper.

Heuristics 2

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 129,536 bytes but its declared streams total only 15,628 bytes — 113,908 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.