Office (OLE) / .XLS malware analysis — malicious · 814c5618f480082a

MALICIOUS

Office (OLE) / .XLS

173.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 66a1c0942293c5ece72dded35fb92ee8 SHA-1: 200310e4d173e6512a1ad2533e7c4a7292f0a1aa SHA-256: 814c5618f480082a770f6975b65a5b4c16ef22d41436e9daba73952104341d9a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample exhibits high-confidence heuristic firings related to process creation, memory allocation, and library loading, strongly suggesting it is designed to execute additional malicious code. The OLE slack anomaly further indicates potential obfuscation or packing. Without any extracted scripts or URLs, the exact payload and delivery mechanism remain unknown, leading to a lower confidence in family attribution.

Heuristics 5

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 177,114 bytes but its declared streams total only 21,308 bytes — 155,806 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.