Malicious Office (OLE) / .EDB — malware analysis report

Static analysis result for SHA-256 b7ef311f3913f2ba…

MALICIOUS

Office (OLE) / .EDB

64.0 KB
MD5: f07ca8d3b973594c03970ec8aa638a2f SHA-1: dc605279b61adc92acb93103736a5b6fbc56bbda SHA-256: b7ef311f3913f2ba74025ce0b550ceb1a4c6ee8ebaeed718f735d4ab5bc99517
180 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking T1204 User Execution

The OLE document exhibits a significant slack space anomaly and critically contains an embedded PE executable. The document body, containing Japanese text related to operational performance, appears to be a lure. The presence of LoadLibrary and GetProcAddress API calls within the OLE structure suggests dynamic loading of malicious code, likely from the embedded executable. The primary attack vector is the embedding of a malicious executable within a seemingly benign document.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 65,536 bytes but its declared streams total only 22,626 bytes — 42,910 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
1ae8931600962b5788d70aba1ba45a76e33533a0b5859e78462a98f665d717a8		 embedded-pe Office MZ+PE at offset 0x6000 40960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.