Office (OLE) malware analysis — malicious · b242878595ab9e65

MALICIOUS

Office (OLE)

215.5 KB Created: 2017-12-21 19:38:00 Authoring application: Microsoft Office Word First seen: 2020-08-25

MD5: 5ea53b70de56916dc471a1e9bf743476 SHA-1: 4b6e685c40f17496a0fe02d22f8911f88121d5a8 SHA-256: b242878595ab9e65ecd0a5a9d4d1d14ef5a5f2900b2167d5cfe5abdb3a89af72

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file exhibits significant slack space within its OLE structure, a common characteristic of packed or obfuscated malicious documents. ClamAV identifies it as 'Img.Dropper.PhishingLure', strongly suggesting a phishing or scam-related lure. The embedded image data, though truncated, likely serves as the visual component of this lure. No scripts were extracted, and the document body was unreadable.

Heuristics 3

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 220,672 bytes but its declared streams total only 24,673 bytes — 195,999 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.