Office (OLE) / .XLS malware analysis — malicious · f1115a69919793be

MALICIOUS

Office (OLE) / .XLS

72.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: b3643bfb772760820292b6ae15c1a337 SHA-1: 55e1a1ed5a835275a7daaad8c4045a5c708e77d4 SHA-256: f1115a69919793be2a1a715541de04706a846cb8eb08fb665f7b69be7a2cc19e

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation. Heuristics indicate the presence of APIs commonly used for shellcode execution and dynamic library loading (VirtualAlloc, LoadLibrary, GetProcAddress). While no scripts were explicitly extracted, the heuristics suggest that the document likely attempts to download and execute a second-stage payload. The document body presents itself as an application form for permits, likely a lure to trick users into opening and interacting with the malicious content.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 74,240 bytes but its declared streams total only 21,308 bytes — 52,932 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.