Office (OLE) malware analysis — malicious · d61578f0bc93b63e

MALICIOUS

Office (OLE)

99.0 KB

MD5: c756b73476d03b49b4d751f3cb186941 SHA-1: d8a8a02d15131fd06d7b4e0f3d305b8287ba16c5 SHA-256: d61578f0bc93b63efc178a56042fd64922c01619c89be8884f3b7cf9ec004b7d

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The file is an OLE document with significant slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate references to WinExec, LoadLibrary, and GetProcAddress, common in malware for executing or loading additional payloads. The presence of XOR-encoded strings with a key of 0x03 further supports the obfuscation technique. While no specific document body content or scripts were provided for analysis, the combination of OLE anomalies and API calls strongly suggests a malicious dropper or container.

Heuristics 5

XOR-encoded strings (key 0x03) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x03: 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA', 'WriteProcessMemory', 'ReadProcessMemory'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 101,376 bytes but its declared streams total only 31,351 bytes — 70,025 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.