Office (OLE) malware analysis — malicious · c4646b24bf12e2ff

MALICIOUS

Office (OLE)

71.8 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 318645b1fce5fb0213b4a65f537276a1 SHA-1: 217dd9b97d8cb1cc3893bf17d1f981f6f1f83b02 SHA-256: c4646b24bf12e2ff954a18a4b0e3bbf9711f1915b9ab60db7abd3c087e6416a0

82 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The OLE document exhibits anomalies indicative of malicious intent, including a large slack region and an appended executable payload. Although VBA macros could not be extracted due to an unsupported format, the presence of an appended payload suggests the document is designed to exploit a vulnerability and download a secondary stage. The SHA256 hash of the file is provided as a primary IOC.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 73,511 bytes but its declared streams total only 16,486 bytes — 57,025 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.