Office (OLE) / .XLS malware analysis — malicious · 6e7852128867bff6

MALICIOUS

Office (OLE) / .XLS

223.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: c5c861b7c6cee5373649b5049c89edf1 SHA-1: 1fd9d947219a56b96940978cce2df9a2b8801737 SHA-256: 6e7852128867bff6f5ada61ff99701452ef8715ca45470aa17814e33b6788861

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate references to LoadLibrary and GetProcAddress APIs, suggesting dynamic code loading. The document body presents various application forms, likely a lure to distract the user while the embedded malicious content is executed, potentially via a macro. The presence of an embedded URL further supports a phishing or credential harvesting attempt.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 228,352 bytes but its declared streams total only 21,308 bytes — 207,044 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.chinastakes.com/2009/10/us-dollar-depreciation-may-force--rmb-appreciation.html

Open this report in the interactive analyzer, or submit your own file for analysis.