Office (OLE) / .XLS malware analysis — malicious · 919df2c1db760347

MALICIOUS

Office (OLE) / .XLS

151.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 783f07dba1dcba8ab7067cb6c91f0b58 SHA-1: fc63c5a1462d28036e6ee05fe39b728afab408e6 SHA-256: 919df2c1db760347ba295842b579269f158109e701a301f34516c7e391247cf7

120 Risk Score

Malware Insights

The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate references to LoadLibrary and GetProcAddress APIs, suggesting the execution of dynamic code. The document body presents itself as an application form for various permits, a common lure for social engineering attacks. No scripts were extracted, and no specific IOCs were identified beyond the API calls.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 154,626 bytes but its declared streams total only 21,308 bytes — 133,318 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.