Office (OLE) / .XLS malware analysis — malicious · 33742a0cafcfa438

MALICIOUS

Office (OLE) / .XLS

49.6 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: f0b2769a4dc289720d4e33af44f35e70 SHA-1: 76f09cc694344fb1f7694fc7b75fbd7c3d3c5141 SHA-256: 33742a0cafcfa438622d03a4d0801eb5c38a5f119ebff1732b88a812f2b23038

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell

The sample is an OLE Excel file with a significant amount of slack space, indicating potential obfuscation. Heuristics indicate suspicious access to the PEB and a high-confidence firing for cmd.exe invocation with an execution flag. This suggests an attempt to run a command-line payload.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 50,813 bytes but its declared streams total only 24,565 bytes — 26,248 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.