Office (OLE) malware analysis — malicious · d41a2d72b79b3f3c

MALICIOUS

Office (OLE)

378.5 KB

MD5: 1e03276d4536e3f4644a4ff9d607d58c SHA-1: a33788c173518e3265cf3b7001bb307c7596a4d0 SHA-256: d41a2d72b79b3f3c4b1d1b3711868a9ea43a48e6d777aceb944dc1466e2d3848

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File

The sample exhibits high-confidence heuristics for WinExec, CreateProcess, cmd.exe invocation, LoadLibrary, and GetProcAddress, indicating an attempt to execute code. The embedded URL http://www.5iantlavalamp.com/C is likely part of the payload delivery chain. The OLE slack anomaly suggests potential obfuscation or padding within the file structure.

Heuristics 8

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 387,584 bytes but its declared streams total only 31,351 bytes — 356,233 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.5iantlavalamp.com/C

Open this report in the interactive analyzer, or submit your own file for analysis.