Office (OLE) / .XLS malware analysis — malicious · 9eb709cfebf9587e

MALICIOUS

Office (OLE) / .XLS

122.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: cedad7b4a133317bffc55e70d76a5047 SHA-1: cb8a8b6158aa5f7f7d9a6c2c50c3ca9b5d3a13fd SHA-256: 9eb709cfebf9587ef1cd5a49581d339cc40eb4d4372562c626bf118784465895

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The presence of high-severity heuristics referencing WinExec, LoadLibrary, and GetProcAddress, combined with XOR-encoded strings, strongly suggests the file is designed to execute malicious code. The OLE Slack Anomaly and NOP-equivalent sled further indicate obfuscation and potential shellcode. Without a document body or scripts, the exact delivery or payload is unclear, but the API calls point to a downloader or loader pattern.

Heuristics 6

XOR-encoded strings (key 0xDB) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xDB: 'advapi32.dll', 'iphlpapi.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'CreateProcessA', 'CreateFileA'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 125,440 bytes but its declared streams total only 24,565 bytes — 100,875 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x43 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.