Office (OLE) / .XLS malware analysis — malicious · 2355325e5e16464b

MALICIOUS

Office (OLE) / .XLS

82.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: c1bdc78e45aba194eb00713998a79b5b SHA-1: 408a50f5dcd3706480d7661a5b6cc76a22ad4977 SHA-256: 2355325e5e16464b77eabd29654bc2313cffa49370a758cda6e56054fb86a3fd

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File T1059.001 PowerShell

The sample exhibits high-confidence heuristic firings indicating the use of Windows API functions such as CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress. Additionally, a suspicious invocation of cmd.exe with an execution flag was detected. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. These indicators collectively point to an attempt to execute arbitrary code, likely to download and run a secondary payload.

Heuristics 7

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 83,991 bytes but its declared streams total only 24,565 bytes — 59,426 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.