Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 23eab83c5f88c4d3…

MALICIOUS

Office (OLE)

162.0 KB
MD5: c4e2975fd63fc9e459a84e68616f4562 SHA-1: 2ab291a10e655b09c0474b2b49bc780b24a0847b SHA-256: 23eab83c5f88c4d3205d587504787e038b1d8b3313b67630bbdf414583eb88c4
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1218 System Binary Proxy Execution

The sample exhibits characteristics of a malicious OLE document, including a large slack space anomaly and references to Windows API functions commonly used for code execution like WinExec, CreateProcess, and LoadLibrary. The presence of a 'Visible LOLBin command execution instruction' heuristic, specifically mentioning cmd.exe, strongly suggests the document is designed to execute commands. The document body's content is not indicative of a specific lure, but the technical indicators point towards arbitrary code execution.

Heuristics 9

  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 165,888 bytes but its declared streams total only 31,351 bytes — 134,537 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.