Office (OLE) / .XLS malware analysis — malicious · d8043524df2ce698

MALICIOUS

Office (OLE) / .XLS

380.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 247b43e773a4a2ea429aea905c8946c9 SHA-1: e009847480bbc02d7afff8cd932dc41032a9f49b SHA-256: d8043524df2ce698993733fb766497186dfa8633669708620cfd0d168f0a6ef0

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is an OLE Excel spreadsheet with a significant amount of slack space, indicating potential obfuscation of malicious content. Heuristics indicate the use of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, which are common for executing arbitrary code. The large slack space (94%) strongly suggests that malicious code is hidden within this region, likely intended to be executed via ShellExecute.

Heuristics 5

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 389,079 bytes but its declared streams total only 24,565 bytes — 364,514 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.