Office (OLE) malware analysis — malicious · 29a16478dfaf3bda

MALICIOUS

Office (OLE)

170.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: cf8c7cc7066b1f64982ace5bd5facfad SHA-1: 164337815acae10964ee84d62057309510804c78 SHA-256: 29a16478dfaf3bdac6f3fb27133103481831f377f44692b3c19ddfef6b803f56

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The OLE document exhibits a critical heuristic for an embedded PE executable, indicating it's designed to deliver a secondary payload. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API references suggests the embedded executable is likely a loader or dropper. The document body is heavily corrupted and unreadable, providing no direct clues to the lure. The primary IOC is the embedded executable itself.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 174,340 bytes but its declared streams total only 94,801 bytes — 79,539 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0001c600.exe` `fe9d06ba13f87e458c08885208842efff32e4180181e20cd4a189b6d12d274a4`	embedded-pe	Office MZ+PE at offset 0x1C600	58116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.