Office (OLE) / .XLS malware analysis — malicious · 2ef0b562495321f9

MALICIOUS

Office (OLE) / .XLS

122.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 328e2f67cf76f1331dba9cc4c7321ec7 SHA-1: cb69bdaf8b8a4d98af7b15604b9863128cde867e SHA-256: 2ef0b562495321f90282ec7dadca26c65e11522154da1ba84c6b8194e8a9e079

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The presence of high-severity heuristics referencing VirtualAlloc, LoadLibrary, and GetProcAddress indicates the file likely contains shellcode designed to dynamically load and execute code. The OLE Slack Anomaly further suggests the file may be packed or contain obfuscated content. Without a document body or scripts, the exact execution flow and payload are not discernible, leading to a lower confidence in family attribution.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 125,440 bytes but its declared streams total only 24,565 bytes — 100,875 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.