Office (OLE) / .XLS malware analysis — malicious · 7d6473339019264a

MALICIOUS

Office (OLE) / .XLS

112.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 9516a32b2aa7beccc96eea174ade7ce0 SHA-1: 29353eac4d4e2217d22d0151720047d639d03153 SHA-256: 7d6473339019264abf433e1dc5cefe8e4cfedc8b5627a49949f25f2a712731ab

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The presence of high-severity heuristics related to VirtualAlloc, LoadLibrary, and GetProcAddress suggests that the macro code within this OLE document is attempting to dynamically load and execute code. The large slack space anomaly in the OLE structure further indicates potential obfuscation or embedded malicious content. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the API calls strongly point towards a downloader or shellcode execution.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 114,711 bytes but its declared streams total only 24,565 bytes — 90,146 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.