Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 58e35df043c55833…

MALICIOUS

Office (OLE) / .XLS

84.0 KB
MD5: 916034147eb316ff239365943e626567 SHA-1: ca500b5ee997ac3f5435db6ad69bdf76c5f59c92 SHA-256: 58e35df043c55833188b796b39853a85cccb0e71dec7e4b2c68abbb1f4d57c5b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an XLS file exhibiting high heuristic firings for PEB access and XOR-encoded strings, indicating obfuscation and potentially malicious code execution. The large slack space in the OLE structure is also anomalous. While no specific malicious scripts or URLs were extracted, the document body presents itself as a series of official application forms, a common lure for phishing or malware delivery. The XOR-encoded strings suggest the presence of hidden malicious functionality.

Heuristics 3

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'RegOpenKeyExA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.