Office (OLE) malware analysis — malicious · af4a26c8233810b4

MALICIOUS

Office (OLE)

169.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: a7b3fbd32a6deb9760d72bd5dad608d9 SHA-1: ea7beb1f4b0387e60ad59bb4c7e2bf3a6c9aee9d SHA-256: af4a26c8233810b456658876dfdded0d30102dd94ced8001af35ee3e0ae480f8

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The OLE document contains a large slack space anomaly and a critical finding of an embedded PE executable. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls suggests that the embedded executable is likely designed to be loaded into memory and executed. The document body is heavily obfuscated and does not provide clear user-facing content, further indicating a malicious intent to deliver an executable payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 173,828 bytes but its declared streams total only 94,801 bytes — 79,027 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0001c600.exe` `f3bed287d570e0c026b51346770463154030b60617eb9e9ce083fbff3a23a47d`	embedded-pe	Office MZ+PE at offset 0x1C600	57604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.