Office (OLE) malware analysis — malicious · 3375db3a3831c1b7

MALICIOUS

Office (OLE)

66.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: bfbe74dd2d6ea8feb843aeb34ed24cfa SHA-1: 9e1d16ed3b307939c3de81e317529c74ef698ace SHA-256: 3375db3a3831c1b794b46f6f82cdb9c9bc4ac81a6e3175052b8a077dd5a43840

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document with a high degree of slack space, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the document attempts to launch an external process. While no document body or script content was extracted, the presence of the CreateProcess heuristic strongly implies a downloader or dropper functionality, aiming to execute a secondary payload. The lack of specific script content or URLs limits further analysis and attribution.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 68,000 bytes but its declared streams total only 21,151 bytes — 46,849 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.