Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a33184524efb3410…

MALICIOUS

Office (OLE) / .XLS

133.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: cec36ad262551560608f997961cbfbc7 SHA-1: 0df27ce4d9815359a188c25665ad33ac4eb90ae8 SHA-256: a33184524efb3410dd9ca0c7e533ff6869cb056faf46ed58cce71df12242776e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an Excel spreadsheet exhibiting a critical heuristic for XOR-encoded strings, suggesting obfuscation of malicious content. The large amount of slack space in the OLE structure is also anomalous. While no specific malicious behavior like network communication or file execution is directly observed from the provided heuristics and document body, the obfuscation techniques strongly indicate malicious intent, likely as a lure or dropper.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 136,704 bytes but its declared streams total only 15,628 bytes — 121,076 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.