Office (OLE) / .XLS malware analysis — malicious · e62fcf2c42f3809f

MALICIOUS

Office (OLE) / .XLS

117.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: fa30b07fcf4b52ab028d7065538fc900 SHA-1: 8ba61d5af1aed48ccd31c59d2ec2f4e515268dc3 SHA-256: e62fcf2c42f3809fea293457bc8005fa89cfaf28fa9aed1ed4535fa98da053b3

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample is an OLE Excel file with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of Windows API functions like CreateProcess, LoadLibrary, and GetProcAddress, which are commonly used by malware to execute payloads or load malicious libraries. The presence of an embedded URL further suggests a download and execution mechanism. The exact URL could not be extracted from the provided evidence.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,808 bytes but its declared streams total only 24,565 bytes — 95,243 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.