Office (OLE) / .XLS malware analysis — malicious · 7c6a0fd87b6028f6

MALICIOUS

Office (OLE) / .XLS

60.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 65099b4afba64d41ace97926354d5c79 SHA-1: cd79b90d45d3df92c39662bb4237f78a178f7995 SHA-256: 7c6a0fd87b6028f6cdc13e5afd2cb5ddc47d61b4701e39fdd66a34b5a0b1d907

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample is an OLE Excel file with a high slack anomaly, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic firing suggests the potential for code execution. Without further script or URL evidence, the exact attack vector remains unclear, but the heuristics point towards a malicious document designed to execute code.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 62,346 bytes but its declared streams total only 24,565 bytes — 37,781 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.