Office (OLE) / .XLS malware analysis — malicious · eaea70d435d06007

MALICIOUS

Office (OLE) / .XLS

111.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 7af2c21037331e0d1df070ee240d4d46 SHA-1: 247ee4b711e687aa347a66e8a22f42aebe33d6a0 SHA-256: eaea70d435d0600704ef54e9a7495bf8853036bf8be43109645213a590b0cb05

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is a malicious Excel spreadsheet. Static analysis detected a high-severity heuristic indicating an OLE document with a large unaccounted-for region, suggesting obfuscation or embedded malicious content. Another high-severity heuristic identified an x86 GetPC stub, commonly used in shellcode. While no specific document body content or scripts were extracted, these indicators point towards an embedded exploit.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 114,058 bytes but its declared streams total only 24,565 bytes — 89,493 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.