Office (OLE) / .XLS malware analysis — malicious · 0d0d65aa2c83e1cb

MALICIOUS

Office (OLE) / .XLS

229.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 5804c68681bfae2ab908206a0433f9e2 SHA-1: 877a17d9a1eba657a3424b914cbb3feed596a650 SHA-256: 0d0d65aa2c83e1cb87a0c5c4690228a7612acbc76fdfe410c1101f8adccec500

220 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OLE Excel file exhibiting significant slack space and appended executable payload bytes, indicating a packed or embedded malicious component. Heuristics indicate the use of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of shellcode or a dynamically loaded library. The document body contains seemingly legitimate text about permit applications, likely a lure to disguise the malicious intent.

Heuristics 6

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 234,944 bytes but its declared streams total only 21,308 bytes — 213,636 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.