Office (OLE) malware analysis — malicious · 6c817d56ff6e7ddb

MALICIOUS

Office (OLE)

85.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 9f9c9551ca52982c7e22c7e7fdb5e8c1 SHA-1: 9b5e33dfc8833fb70c43c2924e4a09ee431c1399 SHA-256: 6c817d56ff6e7ddb99df5ee256a7216111440af95323bd668338c2899d136ab8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OLE document with a significant slack space anomaly, suggesting hidden or packed content. Heuristics indicate the use of Windows API functions commonly associated with memory allocation and loading dynamic libraries, pointing towards the execution of a second-stage payload. No document body or script content was available for further analysis.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 87,712 bytes but its declared streams total only 21,151 bytes — 66,561 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.