Malicious Office (OLE) / .RL — malware analysis report

Static analysis result for SHA-256 afe6b95ad95bc689…

MALICIOUS

Office (OLE) / .RL

84.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2026-06-21
MD5: 0e4e3c2d84a9bc726a50b3c91346fbb1 SHA-1: 52eb16966670b76f8728fda28c48bc6c49f20e07 SHA-256: afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc
140 Risk Score

Heuristics 3

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'RegOpenKeyExA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.