Office (OLE) malware analysis — malicious · 69a4f49e54132306

MALICIOUS

Office (OLE)

140.0 KB Created: 2018-01-09 11:21:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: a766f0eb270449a3faa57e225dac10e4 SHA-1: eaac87b0b50726831426aae62fd9a7f41ab7b8a0 SHA-256: 69a4f49e54132306bf030cd02f91cffa1fe4eb64237a931d36b7a245e737e549

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Img.Dropper.PhishingLure-6443153-0', indicating it's a dropper for phishing lures. The OLE document structure shows a significant amount of slack space, which is often used to hide malicious content. While the document body is heavily obfuscated and truncated, the heuristic firings strongly suggest the file's purpose is to deliver a malicious payload.

Heuristics 3

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 143,360 bytes but its declared streams total only 24,669 bytes — 118,691 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.