Office (OLE) / .XLS malware analysis — malicious · 3f35d31d90022c10

MALICIOUS

Office (OLE) / .XLS

84.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: e023789bb3f46c65fed4fe6146d64071 SHA-1: ff0cb2b8748c14fefb75552a0144940ce7fd4f71 SHA-256: 3f35d31d90022c10ae9bf57a88c0066b5089526999681461b73712a69602dc2c

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The file is an Excel spreadsheet containing text that mimics official application forms for various permits. Heuristics indicate the presence of XOR-encoded strings and PEB access, suggesting malicious code execution. The large slack space in the OLE structure is also anomalous. While no specific URLs or scripts were extracted, the document's content and heuristic firings strongly suggest it's a lure for a malicious payload, likely delivered via obfuscated code.

Heuristics 3

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'RegOpenKeyExA'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.