Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2fa7fa759bd9492e…

MALICIOUS

Office (OLE)

104.0 KB
MD5: d6d02d79a5d369c555ee851b636282cb SHA-1: d64dea9d2e2dc20cddb1e8006856f64e3a6aeccd SHA-256: 2fa7fa759bd9492ec56767de5ce140e55323838b440a2bf14ed77b941d937693
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is an OLE document with significant slack space, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the execution of external processes. While no specific malicious script or URL was extracted, the combination of these factors points to a likely malicious document designed to execute payloads.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 106,496 bytes but its declared streams total only 31,351 bytes — 75,145 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.