Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 75a76adfb1998b04…

MALICIOUS

Office (OLE) / .XLS

212.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 081aeb17b043c123c44b5f47ad7a58c9 SHA-1: 6902dedea4d68b32472b0809464efd286e550746 SHA-256: 75a76adfb1998b04ce305cefe1bac6f86138addfd25deb9c33efc6c8b57604e5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an OLE Excel file with a significant amount of slack space, indicating potential obfuscation or packed content. A critical heuristic identified XOR-encoded strings with a key of 0x63, suggesting an attempt to hide malicious code or data. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, but the encoding strongly implies malicious intent.

Heuristics 2

  • XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 217,156 bytes but its declared streams total only 24,565 bytes — 192,591 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.