Office (OLE) malware analysis — malicious · 8ecd8f5c9e8d93c7

MALICIOUS

Office (OLE)

158.5 KB Created: 2005-06-29 18:14:00 Authoring application: Microsoft Word 10.0 First seen: 2015-09-18

MD5: 14f6ba9280278f05b42b6262bc9c5740 SHA-1: 379c6c7dd0dd2680afb503e6c8e69f6702db4c22 SHA-256: 8ecd8f5c9e8d93c7f80459fb1ca3dba2752cfff44f1127d1d3d8869eb322fb20

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The file is an OLE document with significant slack space and an appended payload, indicating it likely contains and attempts to execute malicious code. The presence of an embedded URL, though benign in this case, is a common tactic for downloading secondary payloads. The obfuscated nature of the document body and the appended payload suggest an attempt to evade detection.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 162,304 bytes but its declared streams total only 20,632 bytes — 141,672 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.