Office (OLE) / .XLS malware analysis — malicious · 855c2ae2640a90c6

MALICIOUS

Office (OLE) / .XLS

214.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: f054a347ca0a48f2c44626252a4aed75 SHA-1: 93c050fc609c6e48f63d5ac1895e05fb15c77931 SHA-256: 855c2ae2640a90c6f922ff437ec3d29fe633a90608237212f89b7d8fa46f65f8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1055 Process Injection

The file is an OLE Excel spreadsheet with a large slack space anomaly, indicating potential obfuscation. Heuristics indicate the presence of APIs commonly used for code injection and dynamic loading of malicious payloads, such as VirtualAlloc, LoadLibrary, and GetProcAddress. The document body presents as a set of application forms, a common lure for social engineering. No scripts were extracted, limiting further analysis of the execution chain.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 219,650 bytes but its declared streams total only 21,308 bytes — 198,342 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.