Office (OLE) / .0 malware analysis — malicious · eb54e72c32261368

MALICIOUS

Office (OLE) / .0

166.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: ccd6ce44be84f864f0c80bb9a525b528 SHA-1: 062d1be3aa2f0badc89055eb088cafd4ff5bf0d9 SHA-256: eb54e72c32261368fddd327549d5ee27953498e2206396a385d2adffc46de50a

200 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1105 Ingress Tool Transfer

The OLE document exhibits a significant slack anomaly and contains an embedded PE executable. Heuristics indicate the use of APIs like VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used by malware to load and execute payloads. The presence of an embedded executable strongly suggests a dropper or downloader functionality, where the document serves as a container for a secondary malicious payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 170,756 bytes but its declared streams total only 94,801 bytes — 75,955 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0001c600.exe` `2e5fe2d23aff8759ac99cf5fb37d06e6509f2c548c8c4971214b747c0b62074f`	embedded-pe	Office MZ+PE at offset 0x1C600	54532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.