Office (OLE) malware analysis — malicious · e3b4d3564a3956dc

MALICIOUS

Office (OLE)

92.2 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 5509d6d0d144b24a83a3a8629f17fe1b SHA-1: dedbc76a612186aa48f885b0e7e536d62d18e650 SHA-256: e3b4d3564a3956dc22245f4cc5f7dfc366078d8013009b59d6679f7697f429df

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests the sample attempts to interact with the process environment, often a precursor to exploitation or payload execution. While no specific script was extracted, the heuristics and file type strongly suggest an attempt to exploit a vulnerability to download and execute a secondary payload. The SHA256 hash is included as a primary IOC.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 94,424 bytes but its declared streams total only 16,486 bytes — 77,938 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.