Office (OLE) malware analysis — malicious · 50cc702d9e35b050

MALICIOUS

Office (OLE)

170.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: fe87f9bee2430d528aad897c9630f5d7 SHA-1: abdbcbde24719b5bdb282d2f41a49e6e8fb36889 SHA-256: 50cc702d9e35b0502cd950ba4333c92b3c40c5045d3b8e71d6b967fb53dac6c9

180 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The heuristics indicate the presence of APIs commonly used for code execution and loading external libraries, specifically CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress. The OLE Slack Anomaly suggests a large portion of the file is not standard document content, likely containing malicious code. While no specific script was extracted, the API calls strongly suggest the Excel file is designed to download and execute a second-stage payload.

Heuristics 5

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 174,080 bytes but its declared streams total only 24,565 bytes — 149,515 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.