Office (OLE) / .XLS malware analysis — malicious · 3592d2b884e6625a

MALICIOUS

Office (OLE) / .XLS

54.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 6fdb1807f15c08fd2ef74a31dcb5da5c SHA-1: d8654dd1186e91e9088242cbc82ee30e359c70dc SHA-256: 3592d2b884e6625ab1d122e0c7ee4bf35c1edb557f9c22a5b32b580a7bb20b88

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an Excel spreadsheet exhibiting a critical heuristic for XOR-encoded strings, with the XOR key identified as 0xFC. Additionally, a high heuristic firing indicates a significant amount of slack space within the OLE structure, suggesting potential obfuscation or embedded malicious content. While no specific payload or delivery mechanism is directly evident from the limited document body, the presence of obfuscated strings strongly suggests an intent to conceal malicious functionality.

Heuristics 2

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 55,808 bytes but its declared streams total only 15,628 bytes — 40,180 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.