Office (OLE) / .XLS malware analysis — malicious · a1f629c086b7b26e

MALICIOUS

Office (OLE) / .XLS

152.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 7f85762ecaf55dab646f4ac84b5866e8 SHA-1: d13b1152334814918a742bf53c8075ff8a65ea5e SHA-256: a1f629c086b7b26e35abbb5adaec41f3d3eafc93f5a94cb86fc1f4b45d70e654

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is a malicious Excel file exhibiting a large slack space anomaly, indicative of packed or obfuscated content. Heuristics indicate the presence of LoadLibrary and GetProcAddress API calls, commonly used by malware to load dynamic link libraries and resolve function addresses, suggesting the execution of malicious code. While no specific URLs or scripts were extracted, the combination of these indicators points to a downloader or droppper functionality.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,648 bytes but its declared streams total only 24,565 bytes — 131,083 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.