Office (OLE) malware analysis — malicious · e34ee3e25cb1e67c

MALICIOUS

Office (OLE)

121.4 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: fb9d7470721b7747997c2decd8ca1e47 SHA-1: cb9cf017d0f61cc1ca368ecb1fb43925813b2f8a SHA-256: e34ee3e25cb1e67c783d33307804b43ba89cd49c63451fc2da2d8749d11c9c0a

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls strongly suggests the sample is designed to load and execute arbitrary code, likely a second-stage payload. The OLE slack anomaly indicates a potentially hidden or packed component within the file. While no specific family is identifiable, the techniques used are common for droppers and downloaders.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 124,317 bytes but its declared streams total only 21,308 bytes — 103,009 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.