Office (OLE) malware analysis — malicious · e7313ebf953f645f

MALICIOUS

Office (OLE)

64.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 80c5c36ae773802ebce21b13dd8d622b SHA-1: d31606dd3bc8e67966cebe5c35f8c7b8d645c882 SHA-256: e7313ebf953f645f4d6bf563f4daf1846e5c04889e4d9d1e605d6f0ef756c6f7

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample is an OLE document with a high-confidence heuristic firing for CreateProcess API usage, indicating an attempt to launch an external process. This is further supported by an embedded URL, suggesting the document is a lure to download and execute a secondary payload. The large slack space in the OLE structure is anomalous but does not directly inform the attack pattern.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 65,696 bytes but its declared streams total only 21,151 bytes — 44,545 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.boycottmadeinchina.org

Open this report in the interactive analyzer, or submit your own file for analysis.