Office (OLE) / .XLS malware analysis — malicious · b30a3e4b2e75bff6

MALICIOUS

Office (OLE) / .XLS

161.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 31dbd02eb647a7fee4e1a61eb6d8df1c SHA-1: a2d0c5c1109d526dfbfecfa42212b8e53a18585f SHA-256: b30a3e4b2e75bff64b7e387b3ee7ae52af27c74e28d20dfa54ee83eb9cd7c84c

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded content. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the execution of external code or dynamic loading of functions. The document body presents itself as an application form for various permits, a common lure for social engineering. No scripts were extracted, and no specific IOCs were identified beyond the API calls.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 165,375 bytes but its declared streams total only 21,308 bytes — 144,067 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.