Office (OLE) / .XLS malware analysis — malicious · 33562f3b25b1590c

MALICIOUS

Office (OLE) / .XLS

90.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 32306b8faf2044ddb84986fa540c9b9f SHA-1: a2f1d0d7f045a15b39f9a0fcc154aaa4cc028880 SHA-256: 33562f3b25b1590c5a3cae2b112ced6e8a537a708c81c07f45cd72a47becfd3e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The sample is an Excel spreadsheet exhibiting high-severity heuristics for CreateProcess, LoadLibrary, and GetProcAddress API calls, indicating an attempt to execute external code. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the API calls strongly suggest a downloader or loader functionality.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 92,695 bytes but its declared streams total only 24,565 bytes — 68,130 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.