Office (OLE) malware analysis — malicious · 6062abb3a90bdcff

MALICIOUS

Office (OLE)

146.0 KB Created: 2018-01-05 13:58:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: ba16e25f7dc06487903b1174181a2ca3 SHA-1: 8e08ed691619d64d28dcbb9e3c97a163d40c4d37 SHA-256: 6062abb3a90bdcffa86c54c4a68eddfd1605fbb63bc1463fb58aa5a17115c896

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. ClamAV detected it as 'Img.Dropper.PhishingLure', suggesting it's designed to drop or present a phishing lure, possibly disguised as an image. The embedded URL, though benign, is present within the document structure.

Heuristics 3

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 149,504 bytes but its declared streams total only 24,677 bytes — 124,827 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.