Office (OLE) / .XLS malware analysis — malicious · b1936817dcabe375

MALICIOUS

Office (OLE) / .XLS

389.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: b7a8db9e6bc05c061d737cedcfa8f0fd SHA-1: 2f92dbf77376664abd164fe9d0dd028dda3bd7db SHA-256: b1936817dcabe3754988b392a1ba496839b04323f1519118b417d368c7a28488

200 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The file is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of Windows API functions commonly associated with process execution and memory manipulation (CreateProcess, VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress), suggesting the file likely attempts to download and execute a secondary payload. The document body presents itself as an application form for various permits, a common social engineering lure.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 398,338 bytes but its declared streams total only 21,308 bytes — 377,030 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.