Office (OLE) / .XLS malware analysis — malicious · b757b691af873957

MALICIOUS

Office (OLE) / .XLS

58.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 3e6d6f57d316c49590edee6f17fb64f9 SHA-1: 549838dc00c7468d3f78afb47207a857ec27db61 SHA-256: b757b691af8739574398a955f0007ee924700d177226c0be5258e250a9812eb7

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell

The sample is a malicious Excel spreadsheet. Heuristics indicate the presence of XOR-encoded strings and a reference to the WinExec API, suggesting an attempt to execute arbitrary code. The large amount of slack space in the OLE structure is also anomalous. Without a document body or scripts, the exact payload and delivery mechanism cannot be determined, but the indicators point to a downloader or dropper.

Heuristics 3

XOR-encoded strings (key 0x98) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x98: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA', 'RegOpenKeyExA'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 59,540 bytes but its declared streams total only 24,565 bytes — 34,975 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.