Office (OLE) / .XLS malware analysis — malicious · f0d718b138994a0b

MALICIOUS

Office (OLE) / .XLS

59.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 13389c05aa9219b822081f92fe6f3d91 SHA-1: 4c8940b09e3d04b91b95c3ec112df1724e6801bb SHA-256: f0d718b138994a0b7e38d4b902836be891d0b78ea434ec404d6ef62eea78a642

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The file is an OLE Excel spreadsheet with a high risk score. Static analysis detected a GetPC stub, often used in shellcode, and a significant amount of slack space within the OLE structure, which can be indicative of packed or obfuscated malicious content. While no specific document body or scripts were extracted, these heuristics suggest the file is designed to execute arbitrary code.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 60,810 bytes but its declared streams total only 24,565 bytes — 36,245 bytes (60%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.