MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059 Command and Scripting Interpreter
The OLE document exhibits a significant amount of slack space (92%), which is anomalous and often indicative of packed or obfuscated malicious content. Furthermore, a high-severity heuristic detected a reference to the CreateProcess API, a common function used by malware to launch new processes. While no specific malicious behavior was directly observed, these indicators suggest the file is likely a malicious OLE document intended to execute a payload.
Heuristics 3
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 159,156 bytes but its declared streams total only 12,288 bytes — 146,868 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.