Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 38efb1863a0ef0dc…

MALICIOUS

Office (OLE) / .DOC

64.0 KB Created: 2007-10-12 02:47:00 Authoring application: Microsoft Office Word
MD5: c3b991f09ec6b11b5f9c520a833a056a SHA-1: da31a15fba77bf39bcdc70e0f2129fafe76a5bba SHA-256: 38efb1863a0ef0dc9c508337a9b3fba38017eef3a9ce0df59a30bcc1b7b4887c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The OLE document exhibits a significant slack space anomaly, a common characteristic of packed or obfuscated files. More critically, it contains an embedded PE executable. This suggests the document is a container for delivering a malicious payload. The embedded executable, named 'embedded_office_00005000.exe', is the primary indicator of malicious intent.

Heuristics 2

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 65,536 bytes but its declared streams total only 17,055 bytes — 48,481 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005000.exe
1a601c8fec87c9782c09ee648b62b711341715fc02bbfd2d9e482e340f5636eb		 embedded-pe Office MZ+PE at offset 0x5000 45056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.