Office (OLE) / .XLS malware analysis — malicious · e58069c8f557b2cc

MALICIOUS

Office (OLE) / .XLS

335.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 41783217d2408e98149b5a17bbb7a650 SHA-1: fa7cb16c5c1f536b4540cb03cec70281235a0731 SHA-256: e58069c8f557b2ccc57aa6ea76fc4e968aba4573499e1f547e85e6abcacda4f5

240 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The critical heuristic firing for an embedded SWF (Flash) object within an OLE document strongly suggests a malicious intent, likely to exploit Flash vulnerabilities or act as a dropper. High-severity heuristics for ShellExecute, LoadLibrary, and GetProcAddress indicate dynamic code execution capabilities. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malicious documents. No document body or script content was available for further analysis.

Heuristics 6

Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 343,511 bytes but its declared streams total only 24,565 bytes — 318,946 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.