Office (OLE) malware analysis — malicious · 7f64267b8292ec56

MALICIOUS

Office (OLE)

202.8 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word

MD5: 01800b3224b856dba1a8f0e0550a6867 SHA-1: 5416f527094f552f029f312d49aad14e6e182dba SHA-256: 7f64267b8292ec56238e8793e32689479e14fcdec0436626daac7dfa251104f3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file exhibits characteristics of a malicious OLE document, including a detected NOP sled, significant slack space, and an appended executable payload. These indicators suggest the document is a container for a secondary malicious component, likely an executable, which is a common tactic for delivering malware via email attachments.

Heuristics 3

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 207,701 bytes but its declared streams total only 22,687 bytes — 185,014 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.