Office (OLE) / .XLS malware analysis — malicious · bd739354852b56ad

MALICIOUS

Office (OLE) / .XLS

650.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: ce6587fb95c097b14ef834ce4cba1392 SHA-1: bf4086a6c747422e5c633c3ee4797b9fc85c4b43 SHA-256: bd739354852b56ad3649adda11531299cb4943ebae83a81b7dadf57de005efb1

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The file is an Excel spreadsheet with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The heuristic SE_ENABLE_LURE confirms that the document actively tries to trick the user into enabling macros, a common delivery mechanism for malware. While a URL was extracted, it was confirmed as benign, and no scripts were found.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 666,139 bytes but its declared streams total only 24,565 bytes — 641,574 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://dms.myflorida.com/business_operations/state_purchasing/documents_forms_references_resources/commodity_contractual_services_catalog

Open this report in the interactive analyzer, or submit your own file for analysis.