Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2027541a91d378a6…

MALICIOUS

Office (OLE)

133.8 KB
MD5: a425cbf28c44f22c971a4ff07852d130 SHA-1: 833e202a6365a2c1c600c9abc631730b19377854 SHA-256: 2027541a91d378a60d78078e9f15275fcebf8f059c640edf1daad62a3af842b2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The OLE document exhibits a significant slack anomaly and contains an embedded PE executable. The presence of LoadLibrary and GetProcAddress API calls further indicates the potential for dynamic loading of malicious code. The embedded executable is the primary indicator of malicious intent, likely intended to be extracted and run by the user.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 136,964 bytes but its declared streams total only 31,351 bytes — 105,613 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015000.exe
19cdf518d509afc7878503c4112f5962073a55bf65dfae6b19660d23df18e25e		 embedded-pe Office MZ+PE at offset 0x15000 50948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.