Office (OLE) / .XLS malware analysis — malicious · 31877601ee4a1017

MALICIOUS

Office (OLE) / .XLS

142.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: d5ed8c9e6cc6fae8a031cf858e589490 SHA-1: 58184595b175ef6ba8502ed53653d37b35a42961 SHA-256: 31877601ee4a1017145eefdea8fb794dc4e486fc90aab29ea5e18a579c2ddf04

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded content. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the execution of shellcode or dynamically loaded libraries. No scripts were extracted, and the document body content appears benign, making it difficult to determine the exact payload or delivery mechanism. The confidence is reduced due to the lack of explicit script content.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 145,922 bytes but its declared streams total only 21,308 bytes — 124,614 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.