Office (OLE) / .XLS malware analysis — malicious · cafcc5c9d1325e86

MALICIOUS

Office (OLE) / .XLS

63.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: e4325aca9303d489abece6b03933770c SHA-1: 0393d96ec8a6890ccf49cea4aeea39d65a24dc73 SHA-256: cafcc5c9d1325e863d6bfc85f345b7975a74991b745f3bbc78de266977203e17

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly, suggesting hidden or obfuscated content. Heuristics indicate the use of CreateProcess and ShellExecute APIs, commonly employed to launch malicious payloads. Without a document body or script content, the exact execution method and payload remain unclear, but the API calls point towards an attempt to execute arbitrary code.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 65,024 bytes but its declared streams total only 24,565 bytes — 40,459 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.