Office (OLE) / .XLS malware analysis — malicious · 5e4482bbee957a1c

MALICIOUS

Office (OLE) / .XLS

107.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 853d95bf44944b8ee8ead29769e3df3a SHA-1: ea642677b8221167ff520d574ac2e7074a125bf0 SHA-256: 5e4482bbee957a1ceac2284bc6ab1820c2b96e1e71cae5a739fbc03cf47bc191

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OLE document exhibits anomalies in its slack space and contains an appended executable-looking payload, indicating an attempt to hide malicious content. The file's structure and appended data strongly suggest it's designed to exploit vulnerabilities upon opening, likely delivered via spearphishing.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,592 bytes but its declared streams total only 24,565 bytes — 85,027 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.