Office (OLE) / .XLS malware analysis — malicious · 3219c1ac8ae9472d

MALICIOUS

Office (OLE) / .XLS

240.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 3067dfd6659d53c9110e5f0826d9a55e SHA-1: a887fe8a13fd116e263d50a7f2308837d73c1cbe SHA-256: 3219c1ac8ae9472d1a7851b503c5625fc2dabe51e2dcf0d1a5484250d8ec88a9

120 Risk Score

Malware Insights

The sample is a malicious Excel spreadsheet. Heuristics indicate the presence of LoadLibrary and GetProcAddress API calls, suggesting dynamic code loading, a common technique for downloading and executing secondary payloads. The large amount of slack space in the OLE structure is also anomalous and may be used to hide malicious code or data. No document body or script content was available for further analysis.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 246,295 bytes but its declared streams total only 24,565 bytes — 221,730 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.