Office (OLE) / .XLS malware analysis — malicious · 58b43352affe22b2

MALICIOUS

Office (OLE) / .XLS

153.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 2bb67b96031ac633adc66f32d2a6456e SHA-1: f7b12b97d1407b4a128c0c031e8002d590a99dee SHA-256: 58b43352affe22b2afee9ed02bace6b73110bcd0202fedbabde9893bea51d0a8

120 Risk Score

Malware Insights

The heuristic firings for LoadLibrary and GetProcAddress, combined with a significant OLE slack space anomaly (84%), indicate that this Excel file is likely designed to load and execute additional code. The large slack space is a common characteristic of droppers or loaders that hide malicious payloads. No document body or script content was available for further analysis.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 157,184 bytes but its declared streams total only 24,565 bytes — 132,619 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.