Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 798bd559f6ac1665…

MALICIOUS

Office (OLE) / .XLS

183.2 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 55e815e945f09dce5d1d46dfe06603ba SHA-1: 2bf3a12b5c4d407e64999ce3fdb50e5d761904c9 SHA-256: 798bd559f6ac166500fbc786a2a61e00d4cb3240170ad73b2f186175b4b85760
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file exhibiting high slack space and a heuristic related to PowerPoint OffArray-style record stubs, indicating a potential exploit for CVE-2009-0556. The presence of XOR-encoded strings with key 0xFC suggests obfuscation of malicious content, likely a downloader or exploit code. The primary attack vector appears to be exploitation for client execution, with the specific family remaining unknown due to lack of further indicators.

Heuristics 3

  • PowerPoint OffArray-style record stub — CVE-2009-0556 related high CVE related PPT_CVE_2009_0556_RELATED
    Small embedded PowerPoint Document stream contains the sparse record set associated with OffArray-style exploit stubs and lacks normal text/placeholder atoms. This is CVE-2009-0556-family evidence, reported as related until the malformed OffArray field is validated directly.
  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'CreateProcessW', 'RegOpenKeyExW', 'ShellExecuteA'
    Disassembly
    Attempted x86 opcode disassembly
    000223BE  b093              mov al, 0x93
000223C0  9d                popfd
000223C1  98                cwde
000223C2  b095              mov al, 0x95
000223C4  9e                sahf
000223C5  8e9d8e85bd00      mov ds, word ptr [ebp + 0xbd858e]
000223CB  00da              add dl, bl
000223CD  fd                std
000223CE  bb9988b193        mov ebx, 0x93b18899
000223D3  98                cwde
000223D4  899099b49d92      mov dword ptr [eax - 0x6d624b67], edx
000223DA  98                cwde
000223DB  90                nop
000223DC  99                cdq
000223DD  bd0000b9fd        mov ebp, 0xfdb90000
000223E2  bb9988ac8e        mov ebx, 0x8eac8899
000223E7  93                xchg ebx, eax
000223E8  9f                lahf
000223E9  99                cdq
000223EA  8f                .byte 0x8f
000223EB  8f                .byte 0x8f
000223EC  aa                stosb byte ptr es:[edi], al
000223ED  99                cdq
000223EE  8e8f95939200      mov cs, word ptr [edi + 0x929395]
000223F4  00ff              add bh, bh
000223F6  90                nop
000223F7  8f                .byte 0x8f
000223F8  888e9f918c95      mov byte ptr [esi - 0x6a736e61], cl
000223FE  ab                stosd dword ptr es:[edi], eax
000223FF  0001              add byte ptr [ecx], al
00022401  fe                .byte 0xfe
00022402  90                nop
00022403  8f                .byte 0x8f
00022404  888e9f918cab      mov byte ptr [esi - 0x54736e61], cl
0002240A  0000              add byte ptr [eax], al
0002240C  7bfd              jnp 0x2240b
0002240E  bb90939e9d        mov ebx, 0x9d9e9390
00022413  90                nop
00022414  ba909d9b8f        mov edx, 0x8f9b9d90
00022419  000b              add byte ptr [ebx], cl
0002241B  00                .byte 0x00
0002241C  bb                .byte 0xbb
0002241D  99                cdq
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 187,588 bytes but its declared streams total only 15,628 bytes — 171,960 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.