Office (OLE) / .XLS malware analysis — malicious · 648e07174b86bdc1

MALICIOUS

Office (OLE) / .XLS

111.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 2febe9eaa1bca1fb32318f78c8e8b684 SHA-1: 821843d02c5bddeba767f9120b26ae1ea80e7d93 SHA-256: 648e07174b86bdc186978efb590d65ff783f4650153bc152cd89d5699be5fe18

120 Risk Score

Malware Insights

MITRE ATT&CK

T1218.011 System Binary Proxy Execution: Rundll32

The sample is an Excel file exhibiting an OLE slack anomaly, indicating potential obfuscation. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, suggesting the loading of external code or DLLs. While no specific VBA or script content was extracted, the API calls strongly imply the execution of a secondary payload, likely a downloader or dropper, to further compromise the system.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 113,666 bytes but its declared streams total only 21,308 bytes — 92,358 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.