Office (OLE) / .XLS malware analysis — malicious · 325791ecf59ef683

MALICIOUS

Office (OLE) / .XLS

154.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 946f0d7532763dc609ac774809411365 SHA-1: 89bf0f02458133324389451f1a86eb52e6f94ae0 SHA-256: 325791ecf59ef683105b3bd80e309df21cfd974d10dfa905aec2041959354388

180 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The sample is a malicious Excel file exhibiting high-severity heuristics for heap spraying and references to LoadLibrary and GetProcAddress APIs, indicating potential shellcode execution. The large slack space in the OLE structure also suggests obfuscation or padding for malicious content. While no specific document body or script content was available for analysis, these indicators strongly suggest an attempt to exploit vulnerabilities or download and execute a secondary payload.

Heuristics 5

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 157,719 bytes but its declared streams total only 24,565 bytes — 133,154 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.