Office (OLE) malware analysis — malicious · 21a0b7139617dfe2

MALICIOUS

Office (OLE)

92.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: fefc8460fb70e69ac0c3d22ce9466a49 SHA-1: df9a5f946c615dae52c995c426870706eca98eff SHA-256: 21a0b7139617dfe2719f1991cfffd0ae32535fdfb52e67f1c47571b2ce7498d7

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is an Excel document exhibiting OLE slack anomalies, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of CreateProcess and ShellExecute APIs, suggesting an attempt to launch external processes. The lack of document body text or scripts limits further analysis, but the API calls strongly suggest the execution of a secondary payload.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 94,716 bytes but its declared streams total only 24,565 bytes — 70,151 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.