Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 eb2419799923449c…

MALICIOUS

Office (OLE) / .XLS

52.2 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 8f2e9039900c34fd370da42585986bcf SHA-1: fcb0085b35b064a8e99dafea8ade6bcec0c6ed17 SHA-256: eb2419799923449c3de4da137c4bcd455c735d1b665dd88c885d5f8d298164da
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File

The file is an OLE spreadsheet containing an embedded PE executable. Heuristics indicate the use of WinExec, LoadLibrary, and GetProcAddress, suggesting the execution of the embedded payload. The XOR-encoded strings and large slack space are common obfuscation techniques. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader or initial access vector.

Heuristics 7

  • XOR-encoded strings (key 0x1C) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x1C: 'ADVAPI32.DLL'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 53,496 bytes but its declared streams total only 6,158 bytes — 47,338 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002600.exe
8bd82459b54a0c20c1b5097b96b303f2bdd3181f9ae5c37c8f45a6802b952317		 embedded-pe Office MZ+PE at offset 0x2600 43768 bytes
ole10native_00.bin
635115de7a7b10f8260b65530dbc8f4a4676070daac68cbf2c2fedea77509e66		 ole-package OLE Ole10Native stream: MBD0002D799/Ole10Native 55 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.