Office (OLE) malware analysis — malicious · aa1624f9bcaada45

MALICIOUS

Office (OLE)

676.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 4824af810fa95a1eda12985fa70e30e9 SHA-1: 573f5a69c4c7e0d9911fd7a68653ebb08c8594a9 SHA-256: aa1624f9bcaada459cfc768f3936b1ceb990398849c7a43546e83b6616e4fc12

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The file is identified as a malicious OLE document. Static analysis revealed a significant amount of slack space within the OLE structure, which is often used to hide malicious content. Additionally, a reference to the CreateProcess API was detected, indicating the potential for the document to launch external processes. While no specific URLs or scripts were extracted, these indicators suggest a high likelihood of malicious intent, possibly for code execution.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 692,640 bytes but its declared streams total only 21,151 bytes — 671,489 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.