Office (OLE) / .XLS malware analysis — malicious · 331dbf6dbd3fe9cb

MALICIOUS

Office (OLE) / .XLS

125.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: b1dabee11fd7b202212a6419166eb031 SHA-1: 08ca359765e28ab8823a780d9f9e69583562aba3 SHA-256: 331dbf6dbd3fe9cbe67313dc8aab5cb873c7ade062e450156f8d767dd68e53a5

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution

The file is an OLE Excel spreadsheet exhibiting a large slack space anomaly, indicative of potential obfuscation or embedded malicious content. Heuristic firings for CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress strongly suggest the execution of arbitrary code. The document body contains seemingly innocuous text about application forms, which is likely a lure to disguise the malicious intent.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 128,000 bytes but its declared streams total only 21,308 bytes — 106,692 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.