Office (OLE) malware analysis — malicious · 1d902564d25fd9b2

MALICIOUS

Office (OLE)

68.4 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 3af83947bfb49bb84783b6d9672417e2 SHA-1: e9838ff61f69f2cae9c90268f08e9a0e1becf6b2 SHA-256: 1d902564d25fd9b299e88251e33e3935a0f142fdde354f87b69f81743de3f90d

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample exhibits high heuristic firings for SC_STR_LOADLIBRARY and SC_STR_GETPROCADDRESS, indicating the use of dynamic library loading and function resolution. The SC_STR_VIRTUALPROTECT firing suggests memory protection manipulation, commonly used to unpack or execute shellcode. The OLE_SLACK_ANOMALY indicates a large amount of unused space within the OLE structure, often used to hide malicious content. While no specific URLs or scripts were extracted, the API calls strongly suggest the document is designed to download and execute a secondary payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 70,048 bytes but its declared streams total only 16,486 bytes — 53,562 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.