Office (OLE) malware analysis — malicious · 7878d11b302ad367

MALICIOUS

Office (OLE)

135.3 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 1cd3a09c4c6fba598e0b92cda1accfdf SHA-1: cc5b1b639607d66d984220b5f227a7e89270162e SHA-256: 7878d11b302ad367ffb17ca3b1aecd1fed35a9fb3b725f2ace448c02a6e8d27d

140 Risk Score

Malware Insights

The OLE document exhibits a significant slack space anomaly (85%), which is often used to hide malicious content. Heuristics indicate the presence of APIs commonly used for dynamic code loading and execution, such as VirtualAlloc, LoadLibrary, and GetProcAddress. No document body or scripts were extracted, limiting further analysis of the specific payload or delivery mechanism.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 138,557 bytes but its declared streams total only 21,151 bytes — 117,406 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.