Office (OLE) malware analysis — malicious · d2f9b925f4f22716

MALICIOUS

Office (OLE)

90.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 25a4bf25228262ea095c7cb40756783e SHA-1: a333104c7152b7129684af9900f75f0a5454d3d7 SHA-256: d2f9b925f4f2271695db2cb514e7347a3bb699fb411818012f234cff2b33b6ba

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The heuristics indicate the presence of ShellExecute, VirtualProtect, and GetProcAddress API calls, suggesting the Excel file attempts to execute arbitrary code. The OLE Slack Anomaly points to potential obfuscation or embedded malicious content. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to an 'unknown family' classification.

Heuristics 4

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 93,117 bytes but its declared streams total only 24,565 bytes — 68,552 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.