Malicious Office (OLE) / .PIN — malware analysis report

Static analysis result for SHA-256 575aab9ec9c64688…

MALICIOUS

Office (OLE) / .PIN

39.5 KB Created: 2000-04-09 04:30:00 Authoring application: Microsoft Word 9.0
MD5: 76246787823d8950cae66fd69a2cb03d SHA-1: b2cc68a06155811eddbfc666e9e470136d11be15 SHA-256: 575aab9ec9c646883cf707db35a91b603814dc51a907048172f06b8599e8d411
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded content. Crucially, VBA macros were detected within the document. While the macro source itself is truncated, its presence strongly suggests an attempt to execute malicious code, likely for downloading and running a second-stage payload. The document body is heavily corrupted and unreadable, providing no further context.

Heuristics 2

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 40,448 bytes but its declared streams total only 22,661 bytes — 17,787 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
aca3dd22177e8d56cf69d7861226222a901719bfb580fb831d66336104ad5966		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3742 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.