Office (OLE) / .XLS malware analysis — malicious · d1dffdc2bc221ea0

MALICIOUS

Office (OLE) / .XLS

73.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: f931abb35d17c89bc0821e1d26bce116 SHA-1: 62c15601a822bc60e3ac42411c674773bf350e70 SHA-256: d1dffdc2bc221ea04879f937a3a1ae00c9782ffdbdca75088451bc591c1b00e2

180 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution T1059.001 PowerShell

The sample is a malicious Excel spreadsheet exhibiting a large slack space anomaly, indicative of hidden or packed content. Heuristics indicate the use of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the potential for arbitrary code execution and dynamic library loading. While no specific VBA or script content was extracted, these API calls strongly imply the file is designed to download and execute a secondary payload.

Heuristics 5

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 74,752 bytes but its declared streams total only 24,565 bytes — 50,187 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.