Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c7c2ce8e78489f60…

MALICIOUS

Office (OLE)

175.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: abfc269160f01375b0f62868ae2ab127 SHA-1: 7da5496f1281802ba2e5505ae43bce70a371e6ab SHA-256: c7c2ce8e78489f606b51dead80249f05234bbcadf8c30b1fced15fe31c2ad1b2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample contains a high-severity heuristic firing for CreateProcess API, indicating an attempt to launch an external process. The OLE document structure also shows a significant amount of slack space, which can be used to hide malicious code or data. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or delivery mechanism. The confidence is moderate due to the lack of specific script or body content.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 179,200 bytes but its declared streams total only 94,801 bytes — 84,399 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.