Office (OLE) / .XLS malware analysis — malicious · b8b699cd674e9016

MALICIOUS

Office (OLE) / .XLS

63.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: db8f158197da5bddbc439883a4f0cb37 SHA-1: 4f79c1945779008395060d878582e0eaa24a6251 SHA-256: b8b699cd674e901603ccf2b5194b4483ad4a2fd87c0a36ddba9f2617dce3c90c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The sample is an Excel spreadsheet exhibiting a significant slack space anomaly, often indicative of packed or obfuscated content. High-severity heuristics indicate the presence of references to CreateProcess and ShellExecute APIs, suggesting an attempt to launch external processes. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the API calls strongly imply malicious execution.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 65,024 bytes but its declared streams total only 24,565 bytes — 40,459 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.