Office (OLE) malware analysis — malicious · bd4841e095cafbca

MALICIOUS

Office (OLE)

107.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 211460a6c51ad91d5bf47e990e9fb884 SHA-1: d5d9d5cbd8f4fdcab2a4ef0d1e136707c643fc2a SHA-256: bd4841e095cafbcaf6d1edbec827f8c9a86e2297edac2d7deb2b82a4c44533ca

120 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The presence of LoadLibrary and GetProcAddress API calls within the Excel document strongly indicates that it is designed to load and execute external code. The large slack space in the OLE structure further supports the possibility of embedded or dynamically loaded malicious content. Without further script or network indicators, the exact payload and delivery mechanism remain unclear, leading to an unknown family classification.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,568 bytes but its declared streams total only 24,565 bytes — 85,003 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.