Office (OLE) / .XLS malware analysis — malicious · 31bc8d7d9cb90821

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: cdae4f680a5e8b300ce695f83a0c361c SHA-1: c69d309d720044b91eb84d37f5a23afa3e4c2671 SHA-256: 31bc8d7d9cb908210765d616980948af07c1a11a0d7ba80f0c471b50b2dcd7c5

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OLE Excel file with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of API calls related to process creation (CreateProcess), dynamic library loading (LoadLibrary), and function retrieval (GetProcAddress), strongly suggesting the execution of arbitrary code. The lack of document body text or script content means the exact payload and delivery mechanism cannot be determined, but the API calls point towards a downloader or dropper functionality.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,512 bytes but its declared streams total only 24,565 bytes — 39,947 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.