Office (OLE) / .XLS malware analysis — malicious · 9471b07f665259e3

MALICIOUS

Office (OLE) / .XLS

73.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 6adf99765fbe18076baf82c84bc3dd90 SHA-1: 9e9c65e31e5c4e8571f7463b5bb34e70f5748f8f SHA-256: 9471b07f665259e341155e06526da53c530eb542d4b1dda6b1e70c26c3e0e9fc

120 Risk Score

Malware Insights

The heuristic firings for LoadLibrary and GetProcAddress, combined with the OLE Slack Anomaly, strongly suggest the presence of obfuscated code designed to dynamically load and execute functions, a common technique for malware droppers. No document body or script content was available for further analysis, limiting the ability to identify specific IOCs or confirm the exact payload delivery mechanism. The file is an older XLS format, which is frequently used for macro-based malware.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 75,264 bytes but its declared streams total only 24,565 bytes — 50,699 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.