Office (OLE) / .XLS malware analysis — malicious · cc3ef1708d3f83c9

MALICIOUS

Office (OLE) / .XLS

84.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 8893fa53c556c542363c80a407c9a540 SHA-1: 45aca6a35780ee1fb8d594413d0c710e8360ca06 SHA-256: cc3ef1708d3f83c977e445b286687e3bcbde9837f4f2d9748230c3d516f8ac75

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is an OLE Excel file with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of references to CreateProcess and ShellExecute APIs, suggesting an attempt to launch external processes. The file is classified as malicious, but no specific family could be identified from the available evidence.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 86,016 bytes but its declared streams total only 24,565 bytes — 61,451 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.