Office (OLE) malware analysis — malicious · a5cb8f8b3c48120b

MALICIOUS

Office (OLE)

115.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: d40abccf45394d94c9ca6f25d4fd2d81 SHA-1: e69ec795d589854b38cb33deb4944e645bb6ad80 SHA-256: a5cb8f8b3c48120b4e832d181110572db6e3418dee4eadbe7df9f78fabaa7a1c

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File T1059.001 PowerShell

The sample exhibits high-confidence heuristics indicating the use of Windows API functions such as CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress. These point to the document's likely intent to download and execute a second-stage payload. The OLE slack anomaly suggests potential obfuscation or padding within the file structure. Without a document body or script content, the specific lure or payload mechanism cannot be determined.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 117,741 bytes but its declared streams total only 21,151 bytes — 96,590 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.