Office (OLE) malware analysis — malicious · 50b24ebf51e2fa35

MALICIOUS

Office (OLE)

604.0 KB Created: 2002-05-07 13:35:00 Authoring application: Microsoft Word 9.0 First seen: 2017-10-10

MD5: 3712fd0acc28c17a5147e280d3417954 SHA-1: 4584b25b995ee6356ae7ca870c2ad5cb8cb50d8d SHA-256: 50b24ebf51e2fa3530b24d3f58e7abfd58ec3a34613be65990e89c2acbdd604c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded content. Crucially, it contains an embedded PE executable. The heuristics for LoadLibrary and GetProcAddress suggest that the document may be attempting to load and execute code, possibly from the embedded executable. The presence of the embedded executable is the primary indicator of malicious intent, suggesting it is intended to be delivered as an attachment.

Heuristics 4

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 618,496 bytes but its declared streams total only 226,390 bytes — 392,106 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00039000.exe`	embedded-pe	Office MZ+PE at offset 0x39000	385024 bytes
SHA-256: `31e1c6a47cd5ddb669e2604fe209c846f4785d50c591ca96e0af9fe08b88415e`

Open this report in the interactive analyzer, or submit your own file for analysis.