Office (OLE) / .XLS malware analysis — malicious · da131f2ddf441963

MALICIOUS

Office (OLE) / .XLS

120.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 5084b78c3d96220ae295c6167a2b8ddf SHA-1: 7e0a102da96232b15377f305f94a0f8cce1e1461 SHA-256: da131f2ddf441963c6716c15ecc0fbfa41bda5565a7c31bf6af71901d5e7b3ba

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristic firings for CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress APIs strongly suggest the file's purpose is to load and execute arbitrary code. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 5

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 123,392 bytes but its declared streams total only 24,565 bytes — 98,827 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.