Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 e51eabc230abe0e3…

MALICIOUS

Office (OLE) / .XLS

65.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: ed4107e161f1f5787f2e053e06122236 SHA-1: 21d24711ff1ba3520fb6072c0a3627c6acedde36 SHA-256: e51eabc230abe0e3b6d5a3679311a39ebd5d9de4df476e74bf559a0e012976e7
120 Risk Score

Malware Insights

The sample is an Excel spreadsheet exhibiting high-severity heuristics for obfuscated code, including GetPC stub usage and PEB access. The large slack space in the OLE structure further suggests malicious intent. While no specific family is identifiable, the techniques point to a macro-based attack.

Heuristics 3

  • x86 GetPC stub (CALL $+5; POP ESI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ESI)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 67,072 bytes but its declared streams total only 24,565 bytes — 42,507 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.