Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5874a49f239e3594…

MALICIOUS

Office (OLE)

63.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 28e65a487c9969d2d8dea17a43babe7f SHA-1: 22dd6d279e2a3a66db0e75fb25223103e7439501 SHA-256: 5874a49f239e35949cc742b1bbf992cb031e1a8000dbd9d5b9332e69cd9d34bb
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is an OLE document with a high slack space anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic firing indicates a reference to the CreateProcess API, suggesting the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or family.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 64,672 bytes but its declared streams total only 21,151 bytes — 43,521 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.