Office (OLE) / .XLS malware analysis — malicious · 7925d60403d5d81d

MALICIOUS

Office (OLE) / .XLS

164.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 7c363ba500456fd935c09b8b9c85835c SHA-1: 14d6a30df5b8d735408911efefd8605a3f2eb168 SHA-256: 7925d60403d5d81d1c11e93a5a15fed8e975c04bc3159058e2dada0a3060d534

140 Risk Score

Malware Insights

MITRE ATT&CK

T1140 Deobfuscate/Decode Files or Information

The sample is an Excel file exhibiting critical heuristics for XOR-encoded strings and high heuristics for PEB access and OLE slack anomalies, indicating obfuscation and potential malicious activity. The XOR key 0x97 was identified, suggesting a decoding mechanism for embedded malicious content. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or delivery vector.

Heuristics 3

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'CreateProcessA', 'RegOpenKeyExA'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 167,936 bytes but its declared streams total only 21,308 bytes — 146,628 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.