Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 870478f05e6c5187…

MALICIOUS

Office (OLE) / .XLS

90.1 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 2b39deaeb48f5d48fba55a76422de7b4 SHA-1: 99f9d9cc890aa206df5e9e92492dfd6983585d41 SHA-256: 870478f05e6c518758d14237d581f4a2fc478f3e6cfc081c256ff294010abbff
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file exhibiting an OLE slack anomaly and a heuristic related to CVE-2009-0556, indicating exploitation of a known vulnerability. While no specific VBA or script content was extracted, the presence of these indicators strongly suggests an attempt to execute arbitrary code upon opening.

Heuristics 2

  • PowerPoint OffArray-style record stub — CVE-2009-0556 related high CVE related PPT_CVE_2009_0556_RELATED
    Small embedded PowerPoint Document stream contains the sparse record set associated with OffArray-style exploit stubs and lacks normal text/placeholder atoms. This is CVE-2009-0556-family evidence, reported as related until the malformed OffArray field is validated directly.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 92,240 bytes but its declared streams total only 15,628 bytes — 76,612 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.