Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 8ee9f81d482f0c3a…

MALICIOUS

Office (OLE) / .XLS

85.0 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 44f53b38c668cd5cddf47d1586ae5c6c SHA-1: 752a68b0f16b4e0233abe79b7db75a3fb8c30cb3 SHA-256: 8ee9f81d482f0c3a19bf81371e517470dff8c826e8b31f42077fa756ebf38b70
100 Risk Score

Malware Insights

The sample is an Excel spreadsheet exhibiting a critical heuristic for XOR-encoded strings with a key of 0xFC. Additionally, it shows a high heuristic for OLE slack space anomaly, indicating potential obfuscation or embedded malicious content. While no document body or scripts were extracted, the presence of these heuristics strongly suggests a malicious intent, likely involving the execution of encoded commands or payloads.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 87,040 bytes but its declared streams total only 15,628 bytes — 71,412 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.