Office (OLE) / .XLS malware analysis — malicious · acfe922026e84c0e

MALICIOUS

Office (OLE) / .XLS

73.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 4d3b0203319add4acfbec0122a9be455 SHA-1: 1538a8d8f23feea8caaee748b0ed9ae54766b1c2 SHA-256: acfe922026e84c0ecd9a4fc0a236ba6df7af4f70910db3104bbcb2932ec15287

120 Risk Score

Malware Insights

The sample is an Excel spreadsheet exhibiting a high degree of slack space, a common characteristic of packed or obfuscated malicious documents. Heuristics indicate the presence of LoadLibrary and GetProcAddress API calls, suggesting the file attempts to dynamically load and execute code. While no specific document body or script content was extracted, these indicators point towards a downloader or droppper functionality.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 75,264 bytes but its declared streams total only 24,565 bytes — 50,699 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.