Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 3b34c3c51b655d7a…

MALICIOUS

Office (OLE) / .XLS

82.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: f592a7d7fbd2e4e9dad496249d311aa6 SHA-1: 958f082b5f06548a29a14f10c367071f20dc9c2f SHA-256: 3b34c3c51b655d7ac0de1799e03d9cf88d7bfb54fc1584fae422eb18cad976d2
100 Risk Score

Malware Insights

The sample is an Excel spreadsheet exhibiting a high slack space anomaly and contains XOR-encoded strings with a key of 0xFC. The presence of embedded URLs and the critical heuristic firing for XOR-encoded strings indicate a likely attempt to obfuscate malicious content, possibly for delivery of a secondary payload. The specific XOR key is provided as an IOC.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 83,968 bytes but its declared streams total only 15,628 bytes — 68,340 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.