Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 203f51344328203a…

MALICIOUS

Office (OLE)

137.3 KB
MD5: d2c12cc3046226a77f00c92ae56d4d35 SHA-1: 69da931688740196eb77d4ce802a44c93506a0d4 SHA-256: 203f51344328203a0faeff4ad81b4f2c9a7bc2b81d7edf58e297221ab1ad0b6d
200 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1105 Ingress Tool Transfer

The OLE document exhibits a significant slack space anomaly and critically contains an embedded PE executable. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls suggests the embedded executable is likely a shellcode or loader designed to dynamically load its functionality. The document body, while containing report-like text, also references embedded Office objects, further indicating a complex structure designed to conceal the malicious payload.

Heuristics 5

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 140,548 bytes but its declared streams total only 31,351 bytes — 109,197 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015800.exe
1c082a9586aa8a9dda3b8c33a57938e2cd9b83779acc98be74e544d577a1d2fd		 embedded-pe Office MZ+PE at offset 0x15800 52484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.