Office (OLE) / .XLS malware analysis — malicious · 56dc11a5ca81f9df

MALICIOUS

Office (OLE) / .XLS

156.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 3563e24be050e868a089c2de03086e09 SHA-1: aeeb435d3cbf8a6a07fdad0dc7ec63f50d661c09 SHA-256: 56dc11a5ca81f9df17b14e6ddac7869e9503f5c80825465b19bab946aa071c9e

120 Risk Score

Malware Insights

The OLE document exhibits a significant slack space anomaly, a common characteristic of packed or obfuscated malicious content. Furthermore, the presence of references to LoadLibrary and GetProcAddress APIs strongly suggests the execution of shellcode or dynamic loading of malicious functions. While no specific VBA macros were extracted, these indicators point towards an attempt to download and execute a secondary payload, typical of a downloader or droppers.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 160,256 bytes but its declared streams total only 24,565 bytes — 135,691 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.