Office (OLE) / .XLS malware analysis — malicious · 648b8263169421c7

MALICIOUS

Office (OLE) / .XLS

1.92 MB

MD5: 53756529429667a64fc968455735aef4 SHA-1: 9c7457c673f2b7d0478dd78719cd3020bd7d8e98 SHA-256: 648b8263169421c7995479dbbc8ededee1a45a27bde1e6cd6d1f018a75155151

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1137.001 Office Application Build T1137.002 Office Application Shimming

The file is an OLE document exhibiting anomalies such as slack space and empty streams, indicating potential obfuscation or corruption. It contains embedded OLE and PDF documents, with the PDF showing signs of being an image-only lure. The presence of multiple embedded Office documents suggests a multi-stage attack, likely initiated via spearphishing.

Heuristics 6

Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 2,009,088 bytes but its declared streams total only 0 bytes — 2,009,088 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`polyglot_child_pdf_off0009c000.pdf` `e3532a77e427b5683d516035bb076e555422ddb6f892093988cc495ae07f559a`	polyglot-child-pdf	Secondary PDF body inside ole container at offset 0x9C000	1370112 bytes
`embedded_office_off0000c000.ole` `602f07da8d06e0c316c260860baa48dd8edf4c916dd343fec6127701bf0b436c`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0xC000	1959936 bytes
`embedded_office_off0007c000.ole` `aa9b3e3ba44e59914f7ddb3f85bcc3e314d650bb1753ee89fbc9c787b0bb21f0`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x7C000	1501184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.