Office (OLE) / .XLSX malware analysis — malicious · 9db2ffd0eb5d545e

MALICIOUS

Office (OLE) / .XLSX

126.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 2114eacf7f8cb0537b289675a995fb7a SHA-1: df6b50e0bb06057a7375b94b2157cb0c540020c3 SHA-256: 9db2ffd0eb5d545e4fd53e4b6e5f0cda7a45c30e24ac57e7d28e7c2be91f0d03

80 Risk Score

Malware Insights

MITRE ATT&CK

T1564.004 Hide Artifacts: Masquerading T1027 Obfuscated Files or Information

The OLE document exhibits a significant slack space anomaly and contains an appended executable payload with high tail entropy. This indicates the file is likely a dropper designed to deliver a secondary malicious payload. The document body content appears benign, providing instructions for various application forms, which serves as a lure.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 129,917 bytes but its declared streams total only 21,308 bytes — 108,609 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.