Office (OLE) / .XLS malware analysis — malicious · 493b500c44f0e045

MALICIOUS

Office (OLE) / .XLS

64.0 KB Created: 1998-11-09 04:39:25 Authoring application: Microsoft Excel

MD5: 0ad71e4205d35efd172c7c23e46cd0af SHA-1: 818635fbef9e1ed58d63c2990a595efe05dffef4 SHA-256: 493b500c44f0e045aacec7681c6b8ebca63c4c0fc6e07d8959c1abd524070e20

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document containing an embedded PE executable. The presence of a reference to WinExec API suggests an attempt to execute the embedded file. The document body text appears to be a business-related request, potentially serving as a lure to encourage the user to open or interact with the malicious content, thereby triggering the execution of the embedded payload.

Heuristics 3

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 65,536 bytes but its declared streams total only 18,234 bytes — 47,302 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00005000.exe` `5866bd09e7559b3acff3d22dd04b3b0c870ac800fad7eb93e782e0dda7ce887f`	embedded-pe	Office MZ+PE at offset 0x5000	45056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.