Office (OLE) malware analysis — malicious · aa95cee12bc8d6de

MALICIOUS

Office (OLE)

36.9 KB Created: 2005-06-29 18:14:00 Authoring application: Microsoft Word 10.0

MD5: 1013ba5d80e3bdd532490fc9fa8004c1 SHA-1: 0c82292184964f1273ecb17efa71a64ecdf9d70b SHA-256: aa95cee12bc8d6dee57288abed98d9d6757fe35e891bdcb32fbbd81fefc37d8c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is an OLE document that fired a high-severity heuristic for referencing the CreateProcess API. This indicates an attempt to launch an external process. The document body is heavily corrupted and unreadable, preventing further analysis of its specific lure or intent. No scripts were extracted from this sample. The confidence is moderate due to the lack of readable content and specific IOCs.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 37,808 bytes but its declared streams total only 20,632 bytes — 17,176 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.