Office (OLE) malware analysis — malicious · e0ba498b6f930de2

MALICIOUS

Office (OLE)

58.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 53cc2e20f93a3b41360997cd493db751 SHA-1: 01e4290d740f1e8d502e6c5753392e8d1c86f559 SHA-256: e0ba498b6f930de2b35d9dda6e0e55acab6e88fe6ed8cd0bde10fbe2c9805e39

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of Windows API calls such as VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used by malware to allocate memory, load malicious code, and resolve function addresses. These findings suggest the file is designed to download and execute a second-stage payload, although no specific URLs or scripts were extracted.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 59,920 bytes but its declared streams total only 21,151 bytes — 38,769 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.