Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d37389e925240873…

MALICIOUS

Office (OLE) / .XLS

164.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 821c4abc533bbfa43cca087d029de09b SHA-1: cf6f2b6a91bffa1bc16f58d5b98c990881134963 SHA-256: d37389e925240873869ee3d30c5d3a1b4652ba4e21c9cdfa1a50b04e2c3171b5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an OLE Excel file exhibiting a large slack space anomaly and XOR-encoded strings, indicating obfuscation. The PEB access heuristic further suggests malicious intent. While no specific document body content or scripts were directly indicative of a particular lure, the overall structure and heuristics point to a malicious document designed to conceal its true payload.

Heuristics 3

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'LoadLibraryW', 'GetProcAddress', 'CreateProcessW', 'RegOpenKeyExW', 'ShellExecuteW'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 167,936 bytes but its declared streams total only 21,308 bytes — 146,628 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.