Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 eeb4ed35a159f49d…

MALICIOUS

Office (OLE) / .XLS

89.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: d243dc0cca9ba0943414b42702a4a638 SHA-1: 39b47a18f889d88d16715022f2c6be200ebf829e SHA-256: eeb4ed35a159f49d732bbe20e3f634a312837f4bfa99358b02d2fa4ebe49b872
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell

The sample is an Excel spreadsheet exhibiting a large slack space anomaly, indicative of obfuscation. Heuristics indicate the presence of XOR-encoded strings and a reference to the WinExec API, suggesting the potential execution of arbitrary code. Without a document body or script content, the exact payload and delivery mechanism remain unclear, leading to an 'unknown family' classification.

Heuristics 3

  • XOR-encoded strings (key 0x98) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x98: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA', 'RegOpenKeyExA'
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 91,269 bytes but its declared streams total only 24,565 bytes — 66,704 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.