Office (OLE) / .XLS malware analysis — malicious · eebbd21ba08ab832

MALICIOUS

Office (OLE) / .XLS

138.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 190629241aaa4383b516678a70d1b436 SHA-1: 9787fc94f9c421f8eaaaa7a57901ad0c3cbedf74 SHA-256: eebbd21ba08ab83282d561db33f807c2884da88a202954f3ca94282f0b4c5987

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE Excel file exhibiting a critical heuristic for XOR-encoded strings with key 0xFC. Additionally, it shows a high severity anomaly with a large slack region, indicating potential obfuscation or packed content. While no specific document body or script content is available for direct analysis of user-facing lures or payload execution, the presence of significant obfuscation strongly suggests malicious intent, likely as a downloader or droppper for further stages.

Heuristics 2

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 141,824 bytes but its declared streams total only 15,628 bytes — 126,196 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.