Office (OLE) / .XLS malware analysis — malicious · ba0ee37b63944d03

MALICIOUS

Office (OLE) / .XLS

107.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: d4791cbbc4ac2b217a1a1f30232e121e SHA-1: 0a9f4477480316d992d6fb80d7f7f861ba8d03a9 SHA-256: ba0ee37b63944d03d4da4e91a78f702a9c04a9bf895ee6bcc78682ebd1e6a892

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The OLE document exhibits a large unaccounted-for region and appended executable-looking payload bytes, indicating it's likely a container for malicious code. While VBA macros could not be extracted, the presence of appended data strongly suggests the file's purpose is to deliver a secondary payload. The SHA256 hash is included as a primary IOC.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,592 bytes but its declared streams total only 24,565 bytes — 85,027 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.