Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 adca0b35097f4ed5…

MALICIOUS

Office (OLE) / .XLS

109.1 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 079c88a2a257596a85a891dd4549f5a8 SHA-1: 1bc72ea3c9727b37e06435abccb7cdd47968b8cc SHA-256: adca0b35097f4ed513241f5cef3497c7d713bf1d92efa0cccbfd7351b79a67b2
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The file is an OLE document with significant slack space and an appended executable payload, indicating it's likely a dropper. Although VBA macros could not be extracted, an embedded URL was found in the document text. The presence of appended payload bytes and an embedded URL suggests the file is designed to deliver a secondary payload, potentially by redirecting the user to a malicious site.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 111,678 bytes but its declared streams total only 24,565 bytes — 87,113 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com
    • http://www.pdf-repair.com)/Producer(Advanced
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.