Office (OLE) malware analysis — malicious · 9601db096239ee38

MALICIOUS

Office (OLE)

243.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 095adf6722a81339c132acc6bd248878 SHA-1: 062d581702e07e605e515122801409e03e3dc021 SHA-256: 9601db096239ee38cb5b60b41aa8ef388a864fe76b8b75a0bffb9dd1f6f06817

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1204 User Execution

The sample is an Excel OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. High-severity heuristics indicate the use of Windows API functions such as CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used by malware to execute payloads or load malicious libraries. The lack of a document body or script content limits further analysis, but the API calls strongly suggest an attempt to run arbitrary code.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 248,832 bytes but its declared streams total only 24,565 bytes — 224,267 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.