Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd107aa00a083e8c…

MALICIOUS

Office (OLE)

104.1 KB First seen: 2012-10-03
MD5: 6608e918874bd3c85e111f72c2abc917 SHA-1: 7e4019f67600a1e6195f127852fb3291a989f5e1 SHA-256: cd107aa00a083e8c24e82f95ed9c8acf7947dff98738ab4a9eee0cc451bdf4f3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE document exhibiting a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics firing for LoadLibrary and GetProcAddress strongly suggest the file is designed to execute arbitrary code, likely through an exploit.

Heuristics 3

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 106,560 bytes but its declared streams total only 8,934 bytes — 97,626 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.