Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 98d2943a44ce3992…

MALICIOUS

Office (OLE)

148.3 KB
MD5: 707ea83dba245e231daaec1a72bd20b0 SHA-1: 885eebaab95a8b688db018144e14e99ae0565b07 SHA-256: 98d2943a44ce3992d64d5f78bc22678897d0ce74481fc9c46d9aa4d9499fbc23
200 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1105 Ingress Tool Transfer

The OLE document contains a large slack space anomaly and a critical heuristic firing for an embedded PE executable. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls suggests that the embedded executable is likely designed to be loaded into memory and executed. The document body text is non-descriptive and appears to be test data, providing no further context on the intended lure.

Heuristics 5

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 151,812 bytes but its declared streams total only 31,351 bytes — 120,461 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015800.exe
d22991e98a58cc3eae7238c5771cafa4d7d68b88587953bf044037379e3dbc07		 embedded-pe Office MZ+PE at offset 0x15800 63748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.