MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The sample is an Excel spreadsheet exhibiting an OLE slack anomaly and XOR-encoded strings, indicating obfuscation. The presence of XOR-encoded strings suggests an attempt to hide malicious code or data. While no specific VBA or script content was extracted, the heuristics point towards a malicious Excel document likely designed to exploit a vulnerability or deliver a secondary payload. The XOR key 0xE6 is a primary indicator of the obfuscation method used.
Heuristics 2
-
XOR-encoded strings (key 0xE6) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0xE6: 'shell32.dll'
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 109,278 bytes but its declared streams total only 24,565 bytes — 84,713 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.