Office (OLE) / .XLS malware analysis — malicious · f2302b0834584506

MALICIOUS

Office (OLE) / .XLS

84.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 1b4dfc26e4d139928e88229440d38615 SHA-1: 4266a520720818a489944a6fec082d89dc4c9aea SHA-256: f2302b0834584506585e159bb6895225ed326be483623b6842da7a2ce938d6f6

80 Risk Score

Malware Insights

The heuristic firing for ShellExecute indicates that the file attempts to execute external commands or programs. The large slack space in the OLE structure is also suspicious and may be used to hide malicious content. Without a document body or scripts, the exact payload and delivery mechanism cannot be determined, leading to a lower confidence in family attribution.

Heuristics 2

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 86,039 bytes but its declared streams total only 24,565 bytes — 61,474 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.