Office (OLE) malware analysis — malicious · b05db57ed693068a

MALICIOUS

Office (OLE)

86.2 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: b5c33f8a639d937b48930fa180b03ff2 SHA-1: cb5d3b224cc79ceed1b2e684da455b752e6fafb8 SHA-256: b05db57ed693068a2f8b8b7248dce18f7a4fcfa42c0fad13fb482add09187701

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 Signed Binary Proxy Execution

The presence of ShellExecute and GetProcAddress API calls, along with VirtualProtect, suggests the execution of shellcode or a downloaded payload. The OLE Slack Anomaly indicates potential obfuscation or padding within the file structure. Without a document body or script content, the exact nature of the payload remains unclear, but the API calls point towards a downloader or executioner.

Heuristics 4

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,308 bytes but its declared streams total only 24,565 bytes — 63,743 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.