MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The sample is an Excel document exhibiting a high degree of slack space, a common characteristic of packed or obfuscated malware. Heuristic firings indicate the presence of APIs typically used for dynamic code loading and execution, specifically VirtualAlloc, LoadLibrary, and GetProcAddress. These findings suggest the document contains embedded code intended to allocate memory, load additional modules, and resolve function addresses, likely to download and execute a secondary payload. No document body text or scripts were extracted, limiting further analysis of the specific lure or payload mechanism.
Heuristics 4
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 243,613 bytes but its declared streams total only 24,565 bytes — 219,048 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.