Office (OLE) / .XLS malware analysis — malicious · b96f240b2ea117f7

MALICIOUS

Office (OLE) / .XLS

943.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 60abd8a5c7b53ed6168b9b20099a9035 SHA-1: e70d3b60cdfd57ea2c4c71f42f7e31f70d2ae57a SHA-256: b96f240b2ea117f72a6fbc38ffa6d22e9faa26951f33de646e067d10a2e23b10

80 Risk Score

Malware Insights

The sample is an Excel spreadsheet with a significant amount of slack space, a common technique for obfuscating malicious content within Office documents. The presence of an x86 GetPC stub further indicates potential shellcode execution. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to a lower confidence score.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 966,538 bytes but its declared streams total only 24,565 bytes — 941,973 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.