Office (OLE) / .XLS malware analysis — malicious · bce10754b4ffddfe

MALICIOUS

Office (OLE) / .XLS

117.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 83b3ad5a1131ea1a801846f8cc9c240b SHA-1: 4273f8c5a777f454d7cc635046aa2a375ef5ecfe SHA-256: bce10754b4ffddfe444c9432e08477987b90bb1778e9b8c8c46371145e1d6d06

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an Excel spreadsheet exhibiting a significant slack space anomaly, indicative of packed or obfuscated content. Heuristics indicate the presence of VBA code that references Windows API functions such as CreateProcess, LoadLibrary, and GetProcAddress, strongly suggesting an attempt to execute arbitrary code. Without a document body or script content, the specific payload and delivery mechanism remain unclear, but the API calls point to a downloader or dropper functionality.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,808 bytes but its declared streams total only 24,565 bytes — 95,243 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.