Office (OLE) / .XLS malware analysis — malicious · b64775a4730ca808

MALICIOUS

Office (OLE) / .XLS

95.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 5618fefe38fe0705588d66288a66da5e SHA-1: f680dfad7e03d404a525475740756a4ba041a50e SHA-256: b64775a4730ca808e51784cb9908cfb47e13314eee0029612e02dfb4d7c7eae9

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The file is an OLE Excel spreadsheet with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of APIs commonly used for loading and executing code, such as VirtualAlloc, LoadLibrary, and GetProcAddress. While no specific VBA scripts or URLs were extracted, the combination of these factors strongly suggests the file is designed to download and execute a second-stage payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 97,303 bytes but its declared streams total only 24,565 bytes — 72,738 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.