Office (OLE) / .XLS malware analysis — malicious · 3bbf9f5a4ad079ad

MALICIOUS

Office (OLE) / .XLS

190.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 64e606305d87664af7aca602ea9c5759 SHA-1: 6bfd733c8142358a45a9d49f258521f4fc941142 SHA-256: 3bbf9f5a4ad079ad11b73c54837e0f4ee95521640306dbe0729b520ff117637b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer T1055 Process Injection

The sample exhibits characteristics of a downloader, indicated by the high-severity heuristic firings for VirtualAlloc, LoadLibrary, and GetProcAddress. These API calls are commonly used by malware to allocate memory and load malicious code. The large slack space in the OLE document further suggests it may be used to hide malicious components. No document body or script content was available to provide further context on the specific lure or payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 194,562 bytes but its declared streams total only 21,308 bytes — 173,254 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.