Office (OLE) / .XLS malware analysis — malicious · 75923b068728a6fb

MALICIOUS

Office (OLE) / .XLS

107.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 16e73d6b3add50f28031fb80a8523eeb SHA-1: 23f88dd3db7f62ff5074bb2ae80294ae0eb8a870 SHA-256: 75923b068728a6fbb9379f9a5a6c155aec18ef0a84786837728b40ce84fc3ac5

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The OLE document exhibits characteristics of an appended payload, with a significant portion of the file's slack space containing executable-looking bytes. This suggests the Excel file is a dropper or loader for a secondary malicious component. The high slack space and appended payload heuristics indicate a high likelihood of malicious intent, likely delivered via spearphishing.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,592 bytes but its declared streams total only 24,565 bytes — 85,027 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.