Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 22647630fc19bbdb…

MALICIOUS

Office (OLE)

160.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: cdf6eea5c40e52032e85bb83b5728798 SHA-1: 07287aac4a7092cf89ec6e9419bc38169da2bd23 SHA-256: 22647630fc19bbdb75efa4a602d3d186814452f109ff34b321eee8f0088acd1b
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The OLE document exhibits a significant slack space anomaly and contains an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely unpacked or loaded dynamically. The presence of an embedded executable strongly indicates a dropper or downloader functionality, aiming to execute a secondary payload.

Heuristics 5

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 164,612 bytes but its declared streams total only 94,801 bytes — 69,811 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c600.exe
a0980f4609326bdff7df39dd9b23182a029d3881293a79a78820b0308a6efca0		 embedded-pe Office MZ+PE at offset 0x1C600 48388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.