Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6547d2c3fe59d392…

MALICIOUS

Office (OLE)

64.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: edae747dd5706ec5e7c9ba670f8982cc SHA-1: c94d2f539d51a332e1c35b848a0d1143592d90bd SHA-256: 6547d2c3fe59d39206cacc60792af3420f35a5219aa0b28f4dc6564a4f33e029
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample exhibits a high-confidence heap spray pattern and a reference to the CreateProcess API, indicating an attempt to execute arbitrary code. The large slack space in the OLE structure further suggests obfuscation or embedded malicious content. No specific family could be identified from the available heuristics.

Heuristics 3

  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 65,696 bytes but its declared streams total only 21,151 bytes — 44,545 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.