Office (OLE) / .XLS malware analysis — malicious · 0ae21a9c79b1d293

MALICIOUS

Office (OLE) / .XLS

214.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 5759f4345aa252e0d052281a65bc3e36 SHA-1: 411d5c6e8c7bb6c54b5c5984bddd88f6d7540a2f SHA-256: 0ae21a9c79b1d293d7ba4bfe8180380355b9de4bd2b4a87c35e75f0ecf84dc63

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The presence of high-severity heuristics referencing VirtualAlloc, LoadLibrary, and GetProcAddress strongly suggests the sample is designed to dynamically load and execute code, likely a second-stage payload. The OLE Slack Anomaly further indicates potential obfuscation or padding within the file structure. While no specific URLs or scripts were extracted, the API calls point to a downloader or dropper functionality.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 219,138 bytes but its declared streams total only 21,308 bytes — 197,830 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.