Office (OLE) / .XLS malware analysis — malicious · 26052b4f8ccc2c9c

MALICIOUS

Office (OLE) / .XLS

193.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 8f51b0e60d4d4764c480af5ec3a9ca19 SHA-1: 25691e9940ee43ac73b187ce4fba09eb81e73f57 SHA-256: 26052b4f8ccc2c9cd2da68fd383687895806d3f65f04182c87fdd06c8a6d9ef7

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The sample is an OLE Excel file with a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used by malware to load and execute code. The lack of document body text or scripts makes it difficult to determine the exact payload or delivery mechanism, but the API calls strongly suggest a downloader or shellcode execution.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 198,045 bytes but its declared streams total only 24,565 bytes — 173,480 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.