Office (OLE) malware analysis — malicious · 10d5359b7f3913a4

MALICIOUS

Office (OLE)

37.1 KB Created: 2017-08-02 20:42:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: 17039af277643820f13be2db411fa975 SHA-1: 4765f58af32fc4e91950f9cf804df50100da3e4a SHA-256: 10d5359b7f3913a44b18fbc63f8d6865b0638cb9c86c0b9d4294fd03adf0bc45

62 Risk Score

Malware Insights

The file is identified as a malicious OLE document with a high-risk score. Heuristics indicate the presence of the VirtualAlloc API, which is often used by malware to allocate memory for malicious code execution. The significant slack space anomaly in the OLE structure is also a strong indicator of malicious intent, potentially used to hide malicious content. No scripts were extracted from this sample, and the document body was unreadable.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 38,013 bytes but its declared streams total only 20,340 bytes — 17,673 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.