Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba3bdf5cb7365d34…

MALICIOUS

Office (OLE)

59.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 23351e2f50e002a60b5bc6aa363decfe SHA-1: f7fd41251941f86000fc3069d5fbe36d8d99f568 SHA-256: ba3bdf5cb7365d347ce3e1986921efcfe6dfe9a940fb9486cbfbe2b840740eea
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is an OLE document with a high slack space anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic firing for CreateProcess API suggests the document attempts to launch an external process. The document body is filled with unreadable characters, providing no contextual clues. Without further script or URL evidence, the exact nature of the payload remains unclear, but the CreateProcess API call is a strong indicator of malicious intent.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 60,832 bytes but its declared streams total only 21,151 bytes — 39,681 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.