Office (OLE) malware analysis — malicious · 2b749315272a79d3

MALICIOUS

Office (OLE)

225.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 6950c4e86bb531cbb8d0162d04e5ec34 SHA-1: c34ad710e0cbd1c47fd88f229ae12cd7cf024b48 SHA-256: 2b749315272a79d398376461ac1cc9563248504771659809db4ba343755b50f9

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious OLE document, including a large slack space anomaly and references to CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting an attempt to load and execute external code. The presence of an embedded URL, though benign in this instance, is a common delivery vector. The document body is heavily obfuscated and unreadable, further indicating malicious intent.

Heuristics 5

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 230,912 bytes but its declared streams total only 94,801 bytes — 136,111 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.