Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 00d527cc8d680251…

MALICIOUS

Office (OLE)

110.2 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 1e21a5b65057630e330526d3f782d129 SHA-1: 13341d2054739b912278402314c3870f286896a8 SHA-256: 00d527cc8d680251d84637476e5e4b90e759ab3baa2983c1660ac436e6d20e2a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The sample exhibits a high OLE slack anomaly and PEB access, indicating potential malicious activity within the OLE structure. While most extracted URLs are benign, one benign URL is present. The document body is heavily obfuscated and truncated, preventing a clear understanding of its specific lure. However, the heuristics suggest an attempt to execute code or exploit a vulnerability.

Heuristics 3

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 112,856 bytes but its declared streams total only 16,486 bytes — 96,370 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://www.iec.ch

Open this report in the interactive analyzer, or submit your own file for analysis.