Office (OLE) malware analysis — malicious · 8a1cbca119b43db9

MALICIOUS

Office (OLE)

189.5 KB

MD5: 6280e32367f4b8cda580460a02caa736 SHA-1: d04c2148f0ab0765014c36ee5a68e42e401cbf0d SHA-256: 8a1cbca119b43db93a4e35fe9cc79e9c18829da474253f700eef17dccbdcf589

80 Risk Score

Malware Insights

The OLE document exhibits a significant amount of slack space, which is anomalous and often indicative of malicious intent, potentially serving as a steganographic container or a dropper. The PEB access heuristic further suggests suspicious code execution within the document. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 194,049 bytes but its declared streams total only 94,801 bytes — 99,248 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.