Office (OLE) malware analysis — malicious · 40d64d52c37f3a6f

MALICIOUS

Office (OLE)

177.5 KB

MD5: 58e815ab31dcbabb2fe66757a0c474c5 SHA-1: f7b35bd3bf2fb38e2b9ae55ae286ae68edc45f4e SHA-256: 40d64d52c37f3a6f2c1a92b5ad8c4425a3953dce42aa8647a46bc945ebe9189b

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is an OLE document with significant slack space, indicating potential obfuscation or embedded content. Heuristics for LoadLibrary and GetProcAddress APIs suggest dynamic code loading, a common technique for malware. The presence of embedded OLE objects like Excel and PowerPoint further supports the idea that this file is a container for malicious payloads. However, no specific delivery mechanism or payload could be definitively identified from the provided evidence.

Heuristics 4

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 181,764 bytes but its declared streams total only 31,351 bytes — 150,413 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.