Office (OLE) malware analysis — malicious · a6bab9ab1504d332

MALICIOUS

Office (OLE)

56.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 20cbbe336565aa3d8285984efc25e74d SHA-1: 822a32e20816ea196f8e8136b9fae8de59720df0 SHA-256: a6bab9ab1504d33292118080baa59b43efc62e01a33ef9be167a3326d4a56c07

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is an OLE document with a high slack anomaly, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the document attempts to launch an external process. The document body is unreadable, and no scripts were extracted, limiting further analysis of the exact execution chain. The confidence is moderate due to the lack of specific indicators beyond the CreateProcess API call.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 57,760 bytes but its declared streams total only 21,151 bytes — 36,609 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.