Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b841c3f629d37332…

MALICIOUS

Office (OLE) / .XLS

84.0 KB
MD5: 24e3594e2ef563633d18e72705302782 SHA-1: 400d28a7144fdf5e8ae23d2b5ded523c8be23ce8 SHA-256: b841c3f629d37332387c37fa021e43a4717d8231e14c81af036ffb2a07467ba6
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is an OLE document containing a large slack space anomaly and an embedded PE executable. The document body presents itself as various application forms, likely a lure to trick the user into interacting with the embedded malicious executable. The presence of XOR-encoded strings and PEB access suggests the embedded executable is designed to evade detection and potentially download further payloads.

Heuristics 4

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'RegOpenKeyExA'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00010a00.exe
b0252450c6862ac2ba16cd64f7721e41946080b621373baa0f6987e42fbbb964		 embedded-pe Office MZ+PE at offset 0x10A00 17920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.