Office (OLE) / .XLS malware analysis — malicious · 25aab0ecb00197e0

MALICIOUS

Office (OLE) / .XLS

107.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 361f9dd3de2aeab5e058b895e5efd5a8 SHA-1: 4a488f2ae0245b55adefefebf0294dc02c7b6f14 SHA-256: 25aab0ecb00197e014c3b87791f2662270f58800a48a6e8b7ea1e463ea9a76cd

120 Risk Score

Malware Insights

The presence of references to LoadLibrary and GetProcAddress APIs, combined with a significant slack space anomaly in the OLE structure, suggests the file contains embedded code designed to dynamically load and execute further malicious content. The file type is a Microsoft Excel spreadsheet, and the heuristics indicate potential for macro execution or embedded shellcode. Without a document body or script content, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,568 bytes but its declared streams total only 24,565 bytes — 85,003 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.