Office (OLE) / .EXE malware analysis — malicious · 3515163193f7adf5

MALICIOUS

Office (OLE) / .EXE

84.5 KB Created: 2000-10-07 09:13:00 Authoring application: Microsoft Word 9.0

MD5: 60f244df8883e57131511be6dbf5fad3 SHA-1: 3d94f993c02ddda3296d082942476c9eb42f4480 SHA-256: 3515163193f7adf5873c9717452a78b352aecef41661e653a6c5e3e93736848b

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is an OLE document with a significant amount of slack space, suggesting potential obfuscation or embedded content. A heuristic indicates the presence of a visible LOLBin command execution instruction, likely related to macro execution. The document body explicitly instructs the user to activate macros, which is a common social engineering tactic to enable malicious script execution. No specific malware family was identified.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 86,528 bytes but its declared streams total only 12,806 bytes — 73,722 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7dc71236f3aafb53fb2c9664b44f0fe8cb4570bf93d611076d144be51600007f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	165 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.