Office (OLE) malware analysis — malicious · 098937b06851c781

MALICIOUS

Office (OLE)

67.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 802941e52e4842447cb2abf7f8012572 SHA-1: 15c3d302a685213b59b7f2c072f249635e05e398 SHA-256: 098937b06851c781f8be61bd8448137808f821dee2e8322f9a038672cb841666

82 Risk Score

Malware Insights

The sample is an OLE document that contains a reference to the CreateProcess API, indicating an attempt to execute a process. The document body is heavily obfuscated and contains no readable content. The embedded URLs were confirmed as benign. Due to the obfuscated nature of the document body and lack of clear malicious indicators beyond the CreateProcess API call, the family is unknown and confidence is moderate.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 69,024 bytes but its declared streams total only 21,151 bytes — 47,873 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.time.com/time/photogallery/0,29307,1855878,00.html
- http://www.time.com/time/photogallery/0,29307,1722865,00.html

Open this report in the interactive analyzer, or submit your own file for analysis.