Office (OLE) / .XLS malware analysis — malicious · 29b450084d62ba78

MALICIOUS

Office (OLE) / .XLS

120.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: cbd679482552be2af4529f218c9a0ba0 SHA-1: a6f708f8e5839f934a873ad5e21a39fe788732f9 SHA-256: 29b450084d62ba78c1578f9c3032f44ffcec240aed7b08fa57f61d0424a34436

80 Risk Score

Malware Insights

The sample is an Excel spreadsheet exhibiting a high degree of slack space, a common obfuscation technique. The SC_GETPC_CALL heuristic indicates the presence of code that likely attempts to evade analysis or execute arbitrary code. Without further script or URL evidence, the exact payload and delivery mechanism remain unclear, but the heuristics strongly suggest malicious intent.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 122,842 bytes but its declared streams total only 24,565 bytes — 98,277 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.