Office (OLE) malware analysis — malicious · 38dbb153b23c9eb3

MALICIOUS

Office (OLE)

618.5 KB Created: 2009-09-23 04:59:15 Authoring application: Microsoft Office PowerPoint

MD5: 07c42c96fe777192f6b25e3972d9c2fb SHA-1: cee0940ca90cfeeff485c9e0e22785fd9b995e13 SHA-256: 38dbb153b23c9eb37ae91a909ef1abdec560f5ba90ad47f02b6a8ce1c3382301

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is an OLE document with a large slack space anomaly, suggesting hidden content. The document body discusses geopolitical tensions between China, India, and Pakistan, likely serving as a lure. High-severity heuristics indicate the presence of PEB access and an API hash resolver, common techniques for evading detection and resolving API calls dynamically. No scripts were extracted, and no specific IOCs were identified.

Heuristics 4

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 633,344 bytes but its declared streams total only 24,296 bytes — 609,048 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.