Office (OLE) / .XLS malware analysis — malicious · 4f49bc5fc221ae44

MALICIOUS

Office (OLE) / .XLS

66.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 277b90331326aadb4469be8b0b3f2db9 SHA-1: 850d6547befe8d8b57b44ae98bd2d51f7431720a SHA-256: 4f49bc5fc221ae44f7d851d4fe666a5de24a9a22f77d09119352c418874cdfd4

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an Excel file containing VBA macros that reference VirtualProtect, LoadLibrary, and GetProcAddress APIs. These are commonly used by malware to load and execute shellcode or download additional payloads. The OLE slack anomaly suggests potential obfuscation or padding within the file structure. Without a document body or explicit script content, the exact nature of the payload cannot be determined, but the API calls strongly indicate a downloader or dropper functionality.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 67,607 bytes but its declared streams total only 24,565 bytes — 43,042 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.