Office (OLE) / .XLS malware analysis — malicious · 29efab32ff02b2e3

MALICIOUS

Office (OLE) / .XLS

117.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: da51bb344115c3ae7deb77a8a2a7de45 SHA-1: a014bef4afcdd0722a3c0f571ffd724b279303b3 SHA-256: 29efab32ff02b2e335efc6a315f240e1ec842841cfd55106a0f7c4840e0e6f4d

160 Risk Score

Malware Insights

MITRE ATT&CK

T1218 Signed Binary Proxy Execution

The sample is a malicious Excel spreadsheet that contains references to Windows API functions such as CreateProcess, LoadLibrary, and GetProcAddress. These functions are commonly used by malware to load and execute additional payloads. The large slack space in the OLE structure also suggests potential obfuscation or embedded malicious content. Without a document body or script content, the exact execution flow and final payload remain undetermined, leading to a moderate confidence score.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,808 bytes but its declared streams total only 24,565 bytes — 95,243 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.