Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 23ccf44070ed64a9…

MALICIOUS

Office (OLE)

65.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 79f4011262466cd8183a4ace23edc5e3 SHA-1: 8c0e571d0354d34bcd668c3e355083a74b4fdb21 SHA-256: 23ccf44070ed64a9df5a5f9b86bf9dad07eff87401189d97a083f7252147da73
120 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The OLE document contains a large slack space anomaly and an embedded PE executable, indicating a malicious payload. The document body presents various application forms, likely as a lure to trick the user into interacting with the embedded malicious executable. No scripts were extracted from this sample.

Heuristics 3

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 66,560 bytes but its declared streams total only 21,308 bytes — 45,252 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006e30.exe
abdeb0e163a671e1b53a24d6a12bd8b70896e423035c8452ea66a290a91faaed		 embedded-pe Office MZ+PE at offset 0x6E30 38352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.