Office (OLE) / .XLS malware analysis — malicious · d71f1625455e7273

MALICIOUS

Office (OLE) / .XLS

229.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 7897e08037880c42e41a09f8665615ec SHA-1: efc15a29549badfd490121b1f69c03ccdd8fbe1f SHA-256: d71f1625455e7273b352cfce3a79a82e8fdc2084747a84cd743ff210261288c2

220 Risk Score

Malware Insights

MITRE ATT&CK

T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information

This XLS file exhibits multiple high-severity heuristic firings, including references to WinExec, LoadLibrary, and GetProcAddress, indicating dynamic code execution. The presence of XOR-encoded strings with a key of 0x03 suggests an attempt to hide malicious code or URLs. The large slack space in the OLE structure is also anomalous. These indicators collectively point to a downloader or droppper functionality, likely attempting to fetch and execute further malicious content.

Heuristics 5

XOR-encoded strings (key 0x03) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x03: 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA', 'WriteProcessMemory', 'ReadProcessMemory'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 235,008 bytes but its declared streams total only 24,565 bytes — 210,443 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.