Office (OLE) / .XLS malware analysis — malicious · 583484c4991cc194

MALICIOUS

Office (OLE) / .XLS

66.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: f8d2593ad21e5e09837b3711789025e7 SHA-1: ddda5d2fecdbf5dad4679f8cfde03b7d53aeebf3 SHA-256: 583484c4991cc1942c564a804c7b8ceee468347c79be740b5ad05f909f72f111

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 Signed Binary Proxy Execution T1071 Application Layer Protocol

The sample is an Excel file exhibiting a large slack space anomaly, indicative of obfuscation. Heuristics indicate the presence of VBA macros that likely leverage LoadLibrary and GetProcAddress APIs, potentially to load and execute a malicious payload. The reference to VirtualProtect further suggests dynamic code execution. The embedded URL in the document text is a likely indicator of the download source for the secondary payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 68,119 bytes but its declared streams total only 24,565 bytes — 43,554 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.