Office (OLE) malware analysis — malicious · 546121dd8f006686

MALICIOUS

Office (OLE)

184.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 6cfb13a9158b8f7733a8aa9d6f4f453e SHA-1: 08c009a8ae53356daf54554aaa6f4c91de9f1d36 SHA-256: 546121dd8f0066863fd9f5091176f1e124ea98db906e53ef032a5d06071a2d04

200 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The OLE document exhibits a significant slack space anomaly and contains an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely unpacked or loaded dynamically. The document body is heavily obfuscated and does not provide clear user-facing content, further supporting the malicious intent of delivering an executable.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 188,676 bytes but its declared streams total only 94,801 bytes — 93,875 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0001c600.exe` `92e54cf5685ba5f2fdf364405d5a0e2be722c21fd6c4206a4c2985a56665485b`	embedded-pe	Office MZ+PE at offset 0x1C600	72452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.