Office (OLE) malware analysis — malicious · 04c65017a3bfa35e

MALICIOUS

Office (OLE)

117.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 433b8fefec5ef9da0ec3106d6a0c257d SHA-1: bacac018d6a78c0d7d99080035ffae4a58a0e6f9 SHA-256: 04c65017a3bfa35e820793419ff1d3cbad54550125424ae4c2e565f7db66e114

260 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.003 Windows Command Shell

The sample exhibits high-confidence heuristics indicating the use of WinExec, CreateProcess, LoadLibrary, and GetProcAddress APIs, alongside a suspicious invocation of cmd.exe. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. These indicators point towards an attempt to execute arbitrary code, likely to download and run a second-stage payload, but no specific family could be identified.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,968 bytes but its declared streams total only 21,151 bytes — 98,817 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.