Office (OLE) / .XLS malware analysis — malicious · 0dccbd11efafa2e9

MALICIOUS

Office (OLE) / .XLS

392.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: fd53e6c754e08bde1f0815045a2f1724 SHA-1: 448ff0d2dbb3b74b7b4b03de76a4dd95b776a208 SHA-256: 0dccbd11efafa2e98422c5447508737afe670e78b9c58c77457627724882c298

200 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is an Excel file exhibiting OLE slack anomalies and heuristics indicating the use of Windows API calls such as CreateProcess, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress. These indicators suggest the file is designed to download and execute a secondary payload. No specific family could be identified.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 401,922 bytes but its declared streams total only 21,308 bytes — 380,614 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.