Office (OLE) / .XLS malware analysis — malicious · b1a853d8ba3a8fb9

MALICIOUS

Office (OLE) / .XLS

84.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 6e35bdb29152c70872fa2fcf3ce4e716 SHA-1: 1743e4826570d21dc40a1170ca70d9226bb7467a SHA-256: b1a853d8ba3a8fb986d115440d144b89d050d3993149f83f44e6de13acba45b0

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE Excel file exhibiting a large slack space anomaly and contains XOR-encoded strings, indicating obfuscation. The presence of SC_PEB_ACCESS suggests attempts to evade detection. While no specific VBA or script content was extracted, the heuristics strongly suggest a malicious document designed to hide its true functionality, likely involving the execution of a second-stage payload through obfuscated code.

Heuristics 3

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'VirtualAlloc', 'RegOpenKeyExA'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.