Malicious Office (OLE) / .EML — malware analysis report

Static analysis result for SHA-256 554dc10c71a0d99c…

MALICIOUS

Office (OLE) / .EML

133.8 KB
MD5: 9e2347b4ee112aa3663402aee1f24932 SHA-1: b4c06abdad801ec042b292308132825252603c27 SHA-256: 554dc10c71a0d99c97830f4238b6045ab94e7646d267d9ea7c6f26c845950162
180 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OLE file with a significant amount of slack space, indicating potential obfuscation. Crucially, it contains an embedded PE executable. The document body contains references to embedded Office objects, which is a common lure for users to interact with malicious content. The presence of LoadLibrary and GetProcAddress API calls in the heuristics further suggests dynamic loading of malicious code, likely within the embedded executable.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 136,964 bytes but its declared streams total only 31,351 bytes — 105,613 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015000.exe
cc0585ae8f9e82ff477dbbcc1aa87e57bfd1c515a9e2c7830cc113407c667fb0		 embedded-pe Office MZ+PE at offset 0x15000 50948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.