Office (OLE) / .VI malware analysis — malicious · ab50323595ab70ff

MALICIOUS

Office (OLE) / .VI

355.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: c21bc825dc9891a6758aa5a96e0373f0 SHA-1: a768f1f4eeec5350256190d6eba2b56adf562f42 SHA-256: ab50323595ab70ff6ab7f04ead3b6ada44bd573c91c0efbed6389e59c114e508

200 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The critical heuristic firing indicates an embedded Adobe Flash (SWF) file within an OLE document. This, combined with references to VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggests the SWF is designed to execute code. The large slack space in the OLE document further supports the possibility of hidden malicious content. The file's SHA256 hash is provided as an IOC.

Heuristics 5

Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 363,543 bytes but its declared streams total only 24,565 bytes — 338,978 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.