Office (OLE) / .XLS malware analysis — malicious · 5eec1a1ff72c23e5

MALICIOUS

Office (OLE) / .XLS

145.4 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel

MD5: f8b6dd740e0474901a3118bc19866af7 SHA-1: 302662d6b8a0903c5a8cbaf96ef3a1a5c4bba6e5 SHA-256: 5eec1a1ff72c23e5b83444ebdfe6e39c57d664a73ae674525d327d5c59e630b9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an Excel file containing appended executable payload bytes and exhibits characteristics related to CVE-2009-0556, a vulnerability in Microsoft PowerPoint. This suggests the file is designed to exploit this vulnerability for client-side code execution.

Heuristics 3

PowerPoint OffArray-style record stub — CVE-2009-0556 related high CVE related PPT_CVE_2009_0556_RELATED

Small embedded PowerPoint Document stream contains the sparse record set associated with OffArray-style exploit stubs and lacks normal text/placeholder atoms. This is CVE-2009-0556-family evidence, reported as related until the malformed OffArray field is validated directly.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 148,928 bytes but its declared streams total only 15,628 bytes — 133,300 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.