Office (OLE) / .XLS malware analysis — malicious · 74c8d7f76b06d909

MALICIOUS

Office (OLE) / .XLS

181.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 0f6946d64b4eeaf87a264378e86caa22 SHA-1: bfbf2d131c7cea773d7fd501e7dd43f9fe63eca5 SHA-256: 74c8d7f76b06d909c2153fc6431f673df0b37436664ac9aaa7b3f8378103103e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is an OLE document with significant slack space and an appended executable payload, indicating it is likely a dropper. The presence of OLE-specific heuristics and the file type suggest an exploit targeting Microsoft Excel. While no specific VBA or script content was extracted, the overall structure points to a malicious document designed to execute arbitrary code.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 186,310 bytes but its declared streams total only 21,308 bytes — 165,002 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.