Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d69663aca639accf…

MALICIOUS

Office (OLE)

160.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 3ca3294d2c74ae7978f8c2c3942489b5 SHA-1: 4a6ce0745eeb76d4f0d678d3e60fd43f4eef919c SHA-256: d69663aca639accf7d8e06491f587a39de3352a2966b1423227112b9969bbfb6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate PEB access via FS segment, often associated with exploit techniques. While no specific VBA or script content was provided, the presence of these indicators suggests an attempt to exploit a vulnerability within the document to download and execute a secondary payload. The benign URLs extracted do not contribute to the maliciousness assessment.

Heuristics 3

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 163,840 bytes but its declared streams total only 16,486 bytes — 147,354 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml

Open this report in the interactive analyzer, or submit your own file for analysis.