Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e432967b2711fff9…

MALICIOUS

Office (OLE) / .XLS

84.0 KB
MD5: 400a43e0d5fc350c9ef3a0ca8e04c314 SHA-1: 33fc5982feca47bb0fc1e9f0c5a3dcb4cae9780b SHA-256: e432967b2711fff90869fcaa36630ce4828d7aaabba0a7e38845b6cd6e0a0b01
140 Risk Score

Malware Insights

The sample is an OLE document with significant slack space, indicating potential obfuscation. Heuristics indicate XOR-encoded strings and PEB access, common in malware. The document body presents itself as an application form for various permits, a common lure for social engineering. No scripts were extracted, and no specific IOCs were identified beyond the file itself.

Heuristics 3

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'kernel32.dll', 'shell32.dll', 'LoadLibraryA', 'GetProcAddress', 'RegOpenKeyExA', 'ShellExecuteA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.