Office (OLE) malware analysis — malicious · 4c8ddad4c67dd6d7

MALICIOUS

Office (OLE)

171.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 635d40b7072301824c41b27c3b4eb920 SHA-1: 29727e6ee2da75de27ddee5e5725e2fba6bff12b SHA-256: 4c8ddad4c67dd6d746616d8ec01ec37c4504aa83610b2ea3016d1c1569082a7e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics firing for LoadLibrary and GetProcAddress API calls suggest the document is designed to load and execute external code. While no document body or scripts were extracted, the combination of these indicators points to a malicious document likely attempting to download and execute a second-stage payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 175,062 bytes but its declared streams total only 21,151 bytes — 153,911 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.