Office (OLE) / .XLS malware analysis — malicious · 45b85a09538fe4cd

MALICIOUS

Office (OLE) / .XLS

364.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 8a34ebcde292f82187732c272b51fe3c SHA-1: 04267155ca7fdab70ee3d27a875f325ad15479ad SHA-256: 45b85a09538fe4cdd7a1a49b8fdc51eddfe23b22410e9799bc79e1e4e0cbf84c

120 Risk Score

Malware Insights

The presence of LoadLibrary and GetProcAddress API calls within the OLE document suggests dynamic code loading, a common technique for executing downloaded payloads. The large amount of slack space in the OLE structure is also anomalous and may be used to hide malicious code. Without a document body or script content, the exact nature of the payload and delivery mechanism cannot be determined, leading to an unknown family classification and reduced confidence.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 373,248 bytes but its declared streams total only 24,565 bytes — 348,683 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.