Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ef47ab3c371a015d…

MALICIOUS

Office (OLE) / .XLS

84.0 KB
MD5: 216d4daf499ea26365d099e99af9c8ae SHA-1: b2470191c4beec7e4f8cab10986abbe017b9f2c3 SHA-256: ef47ab3c371a015d47baf3969533754b474082918a94b6b10e9873ad0fa7e367
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded content. Heuristics indicate XOR-encoded strings and PEB access, suggesting malicious code execution. The document body contains text related to various application forms for permits, which is a common lure for phishing or social engineering attacks. No scripts were extracted, and the XOR key was identified as 0x97.

Heuristics 3

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'RegOpenKeyExA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.