Office (OLE) / .XLS malware analysis — malicious · be5c7b866b6f7366

MALICIOUS

Office (OLE) / .XLS

86.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: ab364aa1ab812c2e911b5b2f7ba699f6 SHA-1: 1657dcab191d6af48c34f9c2be7d785c88ea90f3 SHA-256: be5c7b866b6f736677ffbdf548b4ae81c650be1e7ced49140470a3cc9a8c8dd9

140 Risk Score

Malware Insights

The sample is an OLE document with significant slack space, indicating potential obfuscation or appended malicious content. Heuristics indicate PEB access and XOR-encoded strings, suggesting attempts to evade detection. The document body presents itself as a set of application forms for various permits, a common lure for social engineering attacks. No scripts were extracted, and no URLs were found, limiting the ability to determine the exact payload or family.

Heuristics 3

XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'kernel32.dll'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,064 bytes but its declared streams total only 21,308 bytes — 66,756 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.