Office (OLE) malware analysis — malicious · d798a04abbf282c7

MALICIOUS

Office (OLE)

135.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 8f2d30ef61120aecb114ec84cdbf6018 SHA-1: 90b298ecbc594ed62f199e699bbcf2ad148219b3 SHA-256: d798a04abbf282c7e8305783286cd19210d42c177aba853955b2afc76a34ab88

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is an OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. References to LoadLibrary and GetProcAddress APIs suggest dynamic code loading. While the embedded URLs are benign, the overall structure and API calls are suspicious. No scripts were extracted from this sample.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 138,704 bytes but its declared streams total only 21,151 bytes — 117,553 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.time.com/time/photogallery/0,29307,1855878,00.html
- http://www.time.com/time/photogallery/0,29307,1722865,00.html

Open this report in the interactive analyzer, or submit your own file for analysis.