Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a12ca6389c48ae35…

MALICIOUS

Office (OLE)

132.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 20f17521e96a35d82bc4387fc4cbf52a SHA-1: 4a59712d294d98041f29835344f9cbc77e05f879 SHA-256: a12ca6389c48ae35df331f639912b69ede89a061aeb5542fa1b7b1ca309fe038
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an Excel OLE file exhibiting a significant slack space anomaly, indicating hidden or obfuscated content. A critical heuristic firing confirms the presence of XOR-encoded strings with a key of 0xFC, further supporting the obfuscation. While no specific malicious behavior like network communication or payload execution was directly observed in the extracted metadata or document body, the heavy obfuscation strongly suggests malicious intent, likely to conceal a secondary payload or exploit.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 135,680 bytes but its declared streams total only 15,628 bytes — 120,052 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.