Office (OLE) / .XLS malware analysis — malicious · 5c1212b235fc70f2

MALICIOUS

Office (OLE) / .XLS

281.7 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: 5f2494c63861ca50456e3ee4b0266c40 SHA-1: aa644bb00d40eeff4eae9bce8bb52a8dc0c01d92 SHA-256: 5c1212b235fc70f2273f41d3cd811147531947beae6a8c2fae6b4ffb6454ce4c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an Excel file exhibiting an OLE slack anomaly and a heuristic related to CVE-2009-0556, indicating exploitation of a known Microsoft Office vulnerability. The file's structure suggests it is designed to execute arbitrary code upon opening.

Heuristics 2

PowerPoint OffArray-style record stub — CVE-2009-0556 related high CVE related PPT_CVE_2009_0556_RELATED

Small embedded PowerPoint Document stream contains the sparse record set associated with OffArray-style exploit stubs and lacks normal text/placeholder atoms. This is CVE-2009-0556-family evidence, reported as related until the malformed OffArray field is validated directly.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 288,472 bytes but its declared streams total only 15,628 bytes — 272,844 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.