Office (OLE) malware analysis — malicious · 37c06e5c641afedc

MALICIOUS

Office (OLE)

167.4 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 739b0a1df06b49638e59a2e3d80519a0 SHA-1: 90932854e9d45ec4b5cc7707e400e17cb5df6a9b SHA-256: 37c06e5c641afedc2e6a33e42744c7793d2f275d40adf471f8ac246d8f1cb6dc

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The file exhibits characteristics of a malicious OLE document, indicated by a large slack space anomaly and the presence of heuristics related to ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress. These findings suggest the document is designed to execute arbitrary code, likely by loading and running a payload. No specific document body content or scripts were extracted to further refine the analysis or identify a specific malware family.

Heuristics 5

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 171,456 bytes but its declared streams total only 94,801 bytes — 76,655 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.