Office (OLE) / .XLS malware analysis — malicious · ef17e10c2a33acdf

MALICIOUS

Office (OLE) / .XLS

107.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 68388839b2e94684151e772cbf001b13 SHA-1: 794870924e4a69970387706d916a5348e7f12e59 SHA-256: ef17e10c2a33acdfae400fcdc79e6946d2d2bd33f1052e38ba16a11838d00959

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The file is an OLE Excel spreadsheet with a high percentage of slack space, indicating potential obfuscation or embedded malicious content. The SC_GETPC_CALL heuristic suggests the presence of shellcode or exploit code. While no specific document body or scripts were extracted, the combination of these factors points to a malicious intent, likely for exploitation or payload delivery.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 110,474 bytes but its declared streams total only 24,565 bytes — 85,909 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.