Office (OLE) malware analysis — malicious · e8646e7aca3b13f6

MALICIOUS

Office (OLE)

81.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 24df01c6d0d46c335ce91afe2ba6ff4a SHA-1: d4f89cd68666458b135ceeeb9ed67e3af716d24a SHA-256: e8646e7aca3b13f69a8da3f771a7c44f37bfadccfa0e01e3728fe42d90a80b98

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to interact with the process environment, often a precursor to payload execution. While no scripts were directly extracted, the document structure and heuristics point towards a malicious macro or exploit within the Word document itself, likely designed to download and execute a second-stage payload.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 83,456 bytes but its declared streams total only 16,486 bytes — 66,970 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.