Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 74cccadc802bd1ec…

MALICIOUS

Office (OLE)

122.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 685454e1e1257b875a1c298c629ff80a SHA-1: 33e9901c0765255ac1430c4e8a1c7febb4021108 SHA-256: 74cccadc802bd1ec5fcee1da9a222545546e2053809518bf02ce744abcee8032
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an OLE document with significant slack space and an appended payload, indicating it's designed to deliver malicious content. Heuristics like OLE_APPENDED_PAYLOAD and EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE strongly suggest exploitation. The embedded document contains obfuscated strings that reconstruct to a registry path, likely for persistence or disabling security features, and calls to WinExec, indicating execution of a secondary payload.

Heuristics 4

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 125,440 bytes but its declared streams total only 16,486 bytes — 108,954 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00004c00.ole
852a696b9a0717d6e43fd9688d4e8488b21912439c9838d0c27d0cac54538b07		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4C00 105984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.