Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 a619f414c985c148…

MALICIOUS

Office (OLE) / .XLS

726.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2026-05-10
MD5: 790143625f0a4f7dfa0a42d8d7e0cbed SHA-1: 8e326ffe58ba14c797890b480963e77dcb5e8d09 SHA-256: a619f414c985c148edaacd7c3e0e0c7c07bb3da5600dd11f0e87366157919eed
100 Risk Score

Heuristics 2

  • Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005
    Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 743,936 bytes but its declared streams total only 21,308 bytes — 722,628 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.