Office (OLE) / .XLS malware analysis — malicious · 963503ab41bdddd3

MALICIOUS

Office (OLE) / .XLS

76.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: c2a53030be67a92a83afc3e9e819221f SHA-1: 4c48d3f50d7729a3a63d7948cece68cd9d9deb3a SHA-256: 963503ab41bdddd309098e3253967a270a32c299b1612329e519c28a2aa903d7

180 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution T1059.001 PowerShell

The sample exhibits a large slack space anomaly within its OLE structure, a common indicator of packed or obfuscated content. High-severity heuristics indicate the use of critical Windows APIs such as ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, which are frequently employed by malware to allocate memory, load malicious libraries, and execute arbitrary code. Without a document body or script content, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 5

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 78,336 bytes but its declared streams total only 24,565 bytes — 53,771 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.