Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0407ae3af447a7e7…

MALICIOUS

Office (OLE)

544.9 KB
MD5: e03abe664c06529b66f031324f9367a1 SHA-1: c07ce7ed4242fe76a9c89b6c7ac1c281f2f121c3 SHA-256: 0407ae3af447a7e750339d50808a93a4389f1c277eea6162c87e8b3f2af173a1
182 Risk Score

Malware Insights

MITRE ATT&CK
T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The OLE document exhibits characteristics of a malicious file, including a large slack space anomaly and appended executable payload. Heuristics indicate the use of Windows API functions like VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the loading and execution of code. The presence of embedded URLs, though mostly benign, points towards potential network communication for payload retrieval, aligning with Ingress Tool Transfer (T1105). Given the nature of OLE files with appended payloads, Spearphishing Attachment (T1566.001) is a likely initial access vector.

Heuristics 6

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 558,016 bytes but its declared streams total only 56,346 bytes — 501,670 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.identify.idv.tw/bbs/C
    • http://www.identify.idv.tw/bbs/
    • http://www.microsoft.com
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0

Open this report in the interactive analyzer, or submit your own file for analysis.