Office (OLE) / .XLS malware analysis — malicious · 25e42a792eedbe5f

MALICIOUS

Office (OLE) / .XLS

145.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 4117da07e9b756f4dfa8ace33126b3ab SHA-1: 6c5ece4448e05714fd3396229328a4e5ba173596 SHA-256: 25e42a792eedbe5f3418d8b1af024a7bf0e16a7243b07e29fe106b0993e909cd

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an Excel spreadsheet exhibiting a critical heuristic for XOR-encoded strings, suggesting obfuscation of malicious content. The large amount of slack space in the OLE structure is also anomalous. While no specific malicious behavior like network communication or file drops was directly observed in the static analysis, the obfuscation strongly indicates malicious intent. The lack of a document body or script content limits further analysis of the specific lure or payload.

Heuristics 2

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 148,480 bytes but its declared streams total only 15,628 bytes — 132,852 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.