Office (OLE) / .XLS malware analysis — malicious · dffdebe803c936d0

MALICIOUS

Office (OLE) / .XLS

145.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: faf6266b91240a041f95f4d118b5fb58 SHA-1: 7dd89ade270585bb495fb101c8a29b52a56fddff SHA-256: dffdebe803c936d01eb68fab3c35a3dbedc86088fe11d6f14bc46c7aa6a635b1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1071.001 Web Protocols

The file is an Excel spreadsheet exhibiting a high degree of slack space, a common indicator of packed or obfuscated malicious content. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the loading and execution of shellcode or external modules. An embedded URL was also detected, likely used to download a secondary payload. The specific family is not identifiable from the provided evidence.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 149,015 bytes but its declared streams total only 24,565 bytes — 124,450 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.