Office (OLE) / .XLS malware analysis — malicious · 8a99cf0cf4121dca

MALICIOUS

Office (OLE) / .XLS

74.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: bbd7b158fae2bd29da9d6bd6421248c7 SHA-1: e5231ba9b1e23a0d8cdd18121ce519b5fc0ce087 SHA-256: 8a99cf0cf4121dcaa3638f5ea321ffb7c0e7df2413d68e5f8e453394542b7ac1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 System Binary Proxy Execution

The sample exhibits high-severity heuristic firings for LoadLibrary and GetProcAddress API calls, indicating dynamic code loading. The OLE slack anomaly suggests hidden or packed data within the file. While the document body presents itself as an application form for permits, the underlying heuristics point towards malicious intent, likely to download and execute a secondary payload. No specific family could be identified.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 76,288 bytes but its declared streams total only 21,308 bytes — 54,980 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.