Office (OLE) / .XLS malware analysis — malicious · 26cf5790e8b3808b

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 61a29b7d8a6c3a03a884f2f64be5ca21 SHA-1: 2fc4c0a5bdb0904d5f81bb5903835996b83998b9 SHA-256: 26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample is a malicious Excel spreadsheet exhibiting characteristics of macro-based malware. Heuristics indicate the use of WinExec, LoadLibrary, and GetProcAddress APIs, suggesting dynamic code execution. The presence of XOR-encoded strings and a large slack space anomaly points towards obfuscation techniques. Without a document body or script content, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 5

XOR-encoded strings (key 0x03) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x03: 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA', 'WriteProcessMemory', 'ReadProcessMemory'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,512 bytes but its declared streams total only 24,565 bytes — 39,947 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.