Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8d6b9f8ab6164bdf…

MALICIOUS

Office (OLE)

131.0 KB Created: 2011-04-04 06:50:00 Authoring application: Microsoft Office Word First seen: 2015-10-01
MD5: c28a09d34efcee89abbb45605b273e00 SHA-1: d22bf0207b35dc445f4bfe6708b211c132d9ae24 SHA-256: 8d6b9f8ab6164bdf46344b06205b5a7fa92d07cf03920c0d523df1b3331c01a8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is a Microsoft Office document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. A critical heuristic identified an embedded Adobe Flash (SWF) object, which is commonly used to deliver exploits. This suggests the document's primary purpose is to leverage vulnerabilities within the Flash Player to execute arbitrary code on the victim's system.

Heuristics 2

  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 134,160 bytes but its declared streams total only 22,169 bytes — 111,991 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).