Office (OLE) / .XLS malware analysis — malicious · 707a9b41257dbde5

MALICIOUS

Office (OLE) / .XLS

118.2 KB

MD5: 37c2af8703f9ff947960c2a5ea3527ed SHA-1: 9ca9935380298a25d042e0e6907dd8261f894dfa SHA-256: 707a9b41257dbde5e05d47a8b59cc0ad786c2d91002d72356d303bd0ee0b01b4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The critical SC_XOR_ENCODED heuristic indicates that strings within the file are XOR-encoded with a key of 0xDE, suggesting an attempt to obfuscate malicious code. The high OLE_SLACK_ANOMALY firing points to a large, unaccounted-for region within the OLE structure, often used to hide payloads. The reference to VirtualAlloc API further suggests memory manipulation for executing code. These factors combined indicate a downloader or dropper.

Heuristics 3

XOR-encoded strings (key 0xDE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xDE: 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileW'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 121,067 bytes but its declared streams total only 56,346 bytes — 64,721 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.