Office (OLE) malware analysis — malicious · ce34cdd78ac1ff20

MALICIOUS

Office (OLE)

1.02 MB Created: 2011-04-04 06:50:00 Authoring application: Microsoft Office Word First seen: 2015-09-26

MD5: 4911eebb79ccd1d78dadb6ab301aef86 SHA-1: 650c42198cb910e5153251c6619085fd400ace82 SHA-256: ce34cdd78ac1ff20620f7814ac67e1abb8ab8e22a9034f0b433e65fd22d52de3

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The analysis identified an embedded Adobe Flash (SWF) object within the OLE document, which is a strong indicator of malicious intent. Additionally, the document exhibits an unusually large slack space and an appended executable-looking payload, suggesting it's designed to conceal and deliver a secondary exploit or malware. The presence of these elements points towards an exploitation attempt, likely delivered via spearphishing.

Heuristics 3

Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,064,621 bytes but its declared streams total only 22,169 bytes — 1,042,452 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.