Office (OLE) / .XLS malware analysis — malicious · b0d3ef23cece6417

MALICIOUS

Office (OLE) / .XLS

68.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 2e199f552ea9ee670483b7e2d490f040 SHA-1: 2df10d322f018ffac0a3c310cf3257cabc0f4b1d SHA-256: b0d3ef23cece64175bdb5594163f08fc51679bc8bbaf4d720e8c3da8a3ab3aec

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution T1059 Command and Scripting Interpreter

The OLE document exhibits a significant slack space anomaly, a common technique for hiding malicious content. High-severity heuristics indicate the presence of VBA code that references critical Windows API functions such as VirtualProtect, LoadLibrary, and GetProcAddress. These functions are often used by malware to allocate executable memory, load malicious DLLs, and resolve function addresses, suggesting the sample is designed to execute arbitrary code.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 70,144 bytes but its declared streams total only 24,565 bytes — 45,579 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.