Office (OLE) / .XLS malware analysis — malicious · 1f83773c92f6dd38

MALICIOUS

Office (OLE) / .XLS

105.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 1ead42a8625e0d9b2a76e0bad1216d31 SHA-1: d3cde44d01c520aea1c32e4761f1ff42394f875b SHA-256: 1f83773c92f6dd38737948e8a10371cad68050b9a2dee1ebf3b56002462d1a03

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The file is an OLE Excel spreadsheet with a high slack space anomaly, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic firing suggests the potential for code execution. While no specific VBA or script content was extracted, the combination of these indicators points to a malicious document likely designed to execute a payload.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 108,426 bytes but its declared streams total only 24,565 bytes — 83,861 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.