Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dece4c0e141dbf7f…

MALICIOUS

Office (OLE)

57.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 5e9d5271bbd2e7f2bcd0105ebf995a75 SHA-1: cff1e68d761d1db4c8b0216a43d8aeec395bf7a3 SHA-256: dece4c0e141dbf7f2a48e496fdb6603d8115937186685ddcbfa4a46dad87a6a7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is an OLE document with a high slack space anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic firing for the CreateProcess API suggests the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or delivery mechanism.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 59,296 bytes but its declared streams total only 21,151 bytes — 38,145 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.