Office (OLE) malware analysis — malicious · 35cb91ed7e361535

MALICIOUS

Office (OLE)

109.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 677bce1065386b0a56535b46a4244f6b SHA-1: 9c1ad630a85c8efa02c942b7689e1c49c06fdfa7 SHA-256: 35cb91ed7e3615356cc44456c0f3446583b3748507fb1809c415357939373478

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The heuristics indicate the presence of APIs commonly used for loading and executing code (VirtualAlloc, LoadLibrary, GetProcAddress), suggesting the Excel file is designed to download and run a malicious payload. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malicious documents. No document body or script content was available for further analysis, limiting the ability to identify specific IOCs or confirm the exact execution chain.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 111,639 bytes but its declared streams total only 24,565 bytes — 87,074 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.