Office (OLE) / .XLS malware analysis — malicious · d706358dea5075f5

MALICIOUS

Office (OLE) / .XLS

96.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: c9b4618d9baddc44dfe1d6c0f088e5d4 SHA-1: bce69ad54be6972b2c0b97eb66b3db1711c6e315 SHA-256: d706358dea5075f5016d423da825c0a35e2291b9aee8b96762238f5ce06fbfee

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The heuristic firings indicate the presence of VBA code that utilizes VirtualAlloc, LoadLibrary, and GetProcAddress APIs. This strongly suggests the macro attempts to dynamically load and execute code, likely a second-stage payload. The OLE Slack Anomaly further points to a packed or obfuscated structure common in malicious documents. Without a DOC BODY or SCRIPTS section, the exact delivery mechanism and payload are not discernible, hence the unknown family and moderate confidence.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 98,304 bytes but its declared streams total only 24,565 bytes — 73,739 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.