Office (OLE) / .XLS malware analysis — malicious · f7aee442d4f22568

MALICIOUS

Office (OLE) / .XLS

63.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: a534f5b8ef8cf4a1bc496180fe88b644 SHA-1: b815e8505122440e5b406a21e655017a2659f1ff SHA-256: f7aee442d4f225683d8c8c058ee162316d53e6d3665fcc165666e8dc2aff0078

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is an Excel spreadsheet exhibiting a high degree of slack space, a common indicator of packed or obfuscated malicious content. Heuristics indicate the presence of APIs commonly used for memory manipulation and loading external code (VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress). These findings suggest the file likely contains embedded shellcode or a macro designed to download and execute a second-stage payload, although no specific URLs or scripts were extracted for direct analysis.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,509 bytes but its declared streams total only 24,565 bytes — 39,944 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.