Office (OLE) / .XLS malware analysis — malicious · 33d653e34b9b6746

MALICIOUS

Office (OLE) / .XLS

151.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 57b224ec81aa9662a68aedb5b050bf9b SHA-1: 0f734696c65747f0aead1e3ff0f127100182723f SHA-256: 33d653e34b9b674621e1bb37a9ecdbd12c1b061138915ddb34b0309fa0d67815

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The OLE document exhibits a large slack space anomaly, suggesting hidden or packed content. Heuristic firings for VirtualAlloc, LoadLibrary, and GetProcAddress indicate the presence of shellcode or packed executable code within the document, likely intended to download and execute a second-stage payload. The absence of a document body and scripts prevents a more detailed analysis of the specific lure or payload execution method.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,159 bytes but its declared streams total only 24,565 bytes — 130,594 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.