Office (OLE) / .XLS malware analysis — malicious · c30083e10b243f77

MALICIOUS

Office (OLE) / .XLS

154.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 2cb3ea261e726dd1be5614ceb1a73059 SHA-1: e6b476e14c69457a6784800dec3383591b820cdd SHA-256: c30083e10b243f77b2d6c7df3a19ea8364610ea456f0d9a714e10dfc7ec827db

120 Risk Score

Malware Insights

The sample is an OLE Excel file with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. High-severity heuristics indicate the presence of references to LoadLibrary and GetProcAddress API functions, which are commonly used by malware to load and execute code. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to an 'unknown family' classification and moderate confidence.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 157,719 bytes but its declared streams total only 24,565 bytes — 133,154 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.