Office (OLE) malware analysis — malicious · 3a787a5651c7d676

MALICIOUS

Office (OLE)

37.7 KB Created: 2017-07-28 08:08:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: e9b636e16e2f1512ada7fdbc671dd781 SHA-1: 4d18e7d295244ffcc3d4a96bbb2067071da82be9 SHA-256: 3a787a5651c7d6767568073b09fdfa13473bbdb62dec9ddf53b14056d514c053

62 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The presence of the SC_STR_VIRTUALALLOC heuristic indicates an attempt to allocate memory, a common technique for executing shellcode or payloads. The OLE_SLACK_ANOMALY suggests that the file structure is intentionally malformed to hide malicious content. While no specific scripts were extracted, the combination of these heuristics points towards an exploit targeting the OLE structure to achieve code execution.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 38,592 bytes but its declared streams total only 20,312 bytes — 18,280 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.