Office (OLE) / .XLS malware analysis — malicious · d61b15bfd04e843f

MALICIOUS

Office (OLE) / .XLS

116.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: d2ba6a51505cca27ecfac90026e4086c SHA-1: ce3c4ea143474d6398393e8826172cfcbb9b498b SHA-256: d61b15bfd04e843f25df6900a7cce3165354e22265f616b30de39cf62f66998a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is a malicious Excel spreadsheet. Heuristics indicate the use of Windows API functions such as CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the execution of code. The OLE Slack Anomaly indicates a large amount of unused space, often used to hide malicious code or data. While no specific document body or script content was provided, the combination of these heuristics strongly suggests the file is designed to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 5

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 118,784 bytes but its declared streams total only 24,565 bytes — 94,219 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.