Office (OLE) malware analysis — malicious · 52cb6f85cec33011

MALICIOUS

Office (OLE)

148.5 KB

MD5: edf2f096b8f1a80140c1199970b5f1ad SHA-1: 4c255043a4bd5454d61ce85f9cc03d570380869b SHA-256: 52cb6f85cec330116bc161e502932540cdf847b0dc6013c5e2ff4ecfccac0a50

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File T1055 Process Injection

The sample exhibits high-confidence heuristic firings related to the execution of arbitrary code, including references to WinExec, CreateProcess, and LoadLibrary APIs. The presence of a suspicious cmd.exe invocation with an execution flag further supports this. The OLE slack anomaly suggests potential obfuscation or packed code. While no specific family is identified, the techniques indicate a downloader or initial execution stage.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 152,064 bytes but its declared streams total only 31,351 bytes — 120,713 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.