Office (OLE) / .XLS malware analysis — malicious · 2a3182a0ba557ddd

MALICIOUS

Office (OLE) / .XLS

152.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 0ea0e8c01265d7931e8122d0fcdbe5db SHA-1: ea221b2bbb73080ac349f5e372c5ba98027b91e3 SHA-256: 2a3182a0ba557dddcdcfc1f9addae7bde8ca358b527169402d924a27e09059f0

120 Risk Score

Malware Insights

The presence of LoadLibrary and GetProcAddress API calls within the OLE document suggests the execution of shellcode or dynamic loading of malicious functions. The significant slack space in the OLE structure further indicates potential obfuscation or embedded malicious content. Without a document body or script content, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,671 bytes but its declared streams total only 24,565 bytes — 131,106 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.