Office (OLE) / .XLS malware analysis — malicious · a5593f4db990d92b

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 326c99b68eadb98da375b5dcb7685cf7 SHA-1: fd1e5333abd5bf77328e6c3c26661812c1f995b3 SHA-256: a5593f4db990d92b831b841a27cc09a737fcb7d508cda9ae0bafcf13a286b1db

160 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample is an Excel file exhibiting a high degree of slack space anomaly, suggesting obfuscation or embedded malicious content. Heuristics indicate the presence of APIs commonly used for loading and executing code, such as VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress. These point towards the file's likely intent to download and execute a second-stage payload, although no specific URLs or scripts were extracted to confirm this directly. The lack of explicit script content or URLs reduces confidence in a more precise family attribution.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,512 bytes but its declared streams total only 24,565 bytes — 39,947 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.