Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c3f5e580b751432d…

MALICIOUS

Office (OLE) / .XLS

97.1 KB
MD5: 370296e69db15842539d1c35986d940e SHA-1: 14fb8787c793d8e4f2881a13c9a406c1428911cf SHA-256: c3f5e580b751432d338234d26b30ad6d41e9960112b5b0457e8d4854e292f878
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The presence of a NOP sled and a significant slack space anomaly within the OLE document strongly indicates that this file is designed to load and execute shellcode. While no scripts were extracted, the embedded URLs suggest a potential lure or command and control channel. The file type and heuristics point towards a malicious dropper.

Heuristics 3

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 99,390 bytes but its declared streams total only 12,288 bytes — 87,102 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-repair.com
    • http://www.pdf-repair.com)/Producer(Advanced
    • http://www.pdf-repair.com)/ModDate(D:20100406171120+08
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.