Office (OLE) / .XLS malware analysis — malicious · 7d861dd7bb3f527f

MALICIOUS

Office (OLE) / .XLS

431.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: ca5ccff011ff11cf6d010c37cad1e491 SHA-1: 35755413ed672ca3a2a33fcc068e88ccd0f72c87 SHA-256: 7d861dd7bb3f527f8c9a02e7a80ae7b2a7b16efe7d79fc46c1d72a9b999f1847

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The Excel file exhibits suspicious characteristics including XOR-encoded strings and a significant amount of slack space, indicating an attempt to obfuscate its malicious payload. While no specific malicious behavior like network communication or file execution was directly observed in the static analysis, these obfuscation techniques are commonly employed by malware to evade detection. The presence of these indicators warrants further investigation.

Heuristics 2

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualProtect', 'CreateProcessA', 'RegOpenKeyExA', 'ShellExecuteA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 441,344 bytes but its declared streams total only 15,628 bytes — 425,716 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.