Office (OLE) / .XLS malware analysis — malicious · bf24ac45ec6e2252

MALICIOUS

Office (OLE) / .XLS

181.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 019b3c9dc7dd420725152b0cf3d94a8c SHA-1: e6482ddc81bc0f95c2e77704127068717f7f790c SHA-256: bf24ac45ec6e2252456ecd7613e046761249130caa6fd8ac075c9c03822e989c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is an OLE document with a significant amount of slack space, indicating potential hidden or malicious content. The document body presents itself as an application form for various permits, a common lure for social engineering. The PEB access heuristic suggests the sample may be attempting to evade detection or manipulate its environment. No scripts were extracted from this sample, and no URLs were found, limiting the ability to determine the exact payload or family.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 186,310 bytes but its declared streams total only 21,308 bytes — 165,002 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.