Office (OLE) malware analysis — malicious · 4824156eca50aa37

MALICIOUS

Office (OLE)

148.5 KB

MD5: 9d650f2fd19cb5f8232ba0d1969579ae SHA-1: 871bb467a6fef7d0c54669542494a3c17b18607a SHA-256: 4824156eca50aa37eb7cf6aa41c028bc2de8cf9bb792c0c4d31db30131906ef8

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample exhibits characteristics of a malicious Office document, including a large slack space anomaly and references to LoadLibrary and GetProcAddress APIs, suggesting dynamic code loading. The presence of a NOP sled further indicates potential shellcode execution. While no specific document body content or scripts were clearly extracted, these indicators strongly suggest an attempt to exploit a vulnerability and download a secondary payload.

Heuristics 4

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 152,068 bytes but its declared streams total only 31,351 bytes — 120,717 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.