Office (OLE) malware analysis — malicious · 2aea90b7f2f3d537

MALICIOUS

Office (OLE)

291.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: c65e9adb22e63eaf983d068566c480cb SHA-1: 693873584385bd5676e28f10c98689bc251ccc4a SHA-256: 2aea90b7f2f3d537e696be09bda1441d2c8fb40ac17363b8c980d0d2bb99fc00

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1105 Ingress Tool Transfer T1055 Process Injection

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, and cmd.exe invocation, indicating an attempt to execute commands. The presence of VirtualAlloc and LoadLibrary/GetProcAddress suggests dynamic code loading or manipulation. The OLE slack anomaly is a common indicator of packed or obfuscated content. While no specific URLs or scripts were extracted, the combination of API calls strongly suggests the document is designed to download and execute a second-stage payload.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 298,544 bytes but its declared streams total only 94,801 bytes — 203,743 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.