Office (OLE) / .XLS malware analysis — malicious · 371fe926143c97a2

MALICIOUS

Office (OLE) / .XLS

117.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: da1f5a7bb1ed5b3355ee222d08bd7ef4 SHA-1: 55150f74b88faa8021fa99a5894fa11f3557e5b9 SHA-256: 371fe926143c97a2628049571e94f810610c943abc24c0078414a57968ffb317

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The OLE document exhibits a large slack space anomaly, suggesting hidden or packed content. Heuristics indicate the presence of Windows API calls such as VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used by malware to allocate memory and load dynamic link libraries. This strongly suggests the file is designed to download and execute a secondary payload, although no specific URLs or scripts were extracted to confirm this.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,831 bytes but its declared streams total only 24,565 bytes — 95,266 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.