Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 aeb14c35221a3ff7…

MALICIOUS

Office (OLE) / .XLS

1006.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 778735eed2522a4cb2a4731cc9a480b7 SHA-1: c03971141af610c05ee7ebc66d668079382df8e4 SHA-256: aeb14c35221a3ff733b3c113c6a71321b5a6c8e9717b9e7a46c9fd8c217a1710
100 Risk Score

Malware Insights

The sample is an Excel spreadsheet exhibiting a critical heuristic for XOR-encoded strings, suggesting obfuscation of malicious content. The large amount of slack space in the OLE structure is also anomalous. While no specific payload or delivery mechanism is directly evident from the limited document body or heuristics, the presence of obfuscated strings points towards an attempt to conceal malicious code execution, likely through VBA macros, which are common in Excel-based attacks.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,030,656 bytes but its declared streams total only 15,628 bytes — 1,015,028 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.