Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e1e3650c49690a22…

MALICIOUS

Office (OLE)

176.6 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 215b28e3d94cd0ac076b9b403a4d06c2 SHA-1: d35aafe4631027c3af6aaec6f2c4dc13ede2d236 SHA-256: e1e3650c49690a22d74a42d1a7f652ab302bf6825a7269fada17077a3a147122
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1218.011 System Binary Proxy Execution: Rundll32 T1071.001 Web Protocols: Web Protocols

The sample is an OLE document with a significant slack space anomaly, suggesting hidden or packed content. Heuristics indicate the use of Windows API functions like VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, commonly employed by malware to allocate memory, modify permissions, and load dynamic libraries. While no scripts were extracted, the presence of these API calls strongly suggests the document is designed to download and execute a second-stage payload. The document body itself contains text related to various application forms, which could serve as a lure to disguise the malicious intent.

Heuristics 6

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 180,848 bytes but its declared streams total only 21,308 bytes — 159,540 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://www.microsoft.com0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.microsoft.com/pki/crl/products/WinPCA.crl0:�8�6�4http://www.microsoft.com/pki/crl/products/WinPCA.crl0R
    • http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0��

Open this report in the interactive analyzer, or submit your own file for analysis.