Office (OLE) / .XLS malware analysis — malicious · 579cbd0a7d431591

MALICIOUS

Office (OLE) / .XLS

151.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 97b20f01c94fe134713637efb0338b69 SHA-1: 128044efa38cd9fb406fd82f6514987c07b72665 SHA-256: 579cbd0a7d431591670a713f1cec3065467d2dd00e23da445dd428f1ee327df4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. High-severity heuristics firing for LoadLibrary and GetProcAddress strongly suggest the file is designed to load and execute arbitrary code. No document body or script content was available to provide further context on the specific payload or delivery mechanism.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,136 bytes but its declared streams total only 21,308 bytes — 133,828 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.