Office (OLE) malware analysis — malicious · 0538c472b711a744

MALICIOUS

Office (OLE)

125.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 05dd3af818406720e78fdb540ce9e776 SHA-1: 8ab12567b051a585ecfd1cc30e4d2eb007f658f8 SHA-256: 0538c472b711a74487128ccd8885ef9a00d0d69ec47daa8997d3d02e64f2c58b

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or packed code. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, which are commonly used by malware to load additional malicious code or functions. The document body is unreadable, providing no further context on the lure.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 127,952 bytes but its declared streams total only 21,151 bytes — 106,801 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.