Office (OLE) malware analysis — malicious · 3aeabd994e43002f

MALICIOUS

Office (OLE)

172.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: a516342874c8b4a490ae5a6ab492b71a SHA-1: d8bc5fbf5b52ea146a7e72c314bc7960606a5b96 SHA-256: 3aeabd994e43002f5cdc8b0d7e03625d21153cd4128f5d41ee8ede747eda1499

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution

The sample is an OLE document with a significant amount of slack space, indicating obfuscation. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the loading of a malicious DLL. The absence of a document body and scripts prevents a more specific determination of the attack pattern or family.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 176,541 bytes but its declared streams total only 24,565 bytes — 151,976 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.