Office (OLE) malware analysis — malicious · ee7e2ad0293bdb4a

MALICIOUS

Office (OLE)

246.5 KB Created: 2018-01-30 13:27:00 Authoring application: Microsoft Office Word First seen: 2020-08-25

MD5: af24f230cc47a04ce0b845799c9092c5 SHA-1: e45e5cc74bf557d435e683705ce2f707fdaf637a SHA-256: ee7e2ad0293bdb4a205eed62e80e5b899631931a666c89411cd43e8716ca75a2

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file exhibits a significant amount of slack space, which is a common technique used to hide malicious content within otherwise legitimate files. ClamAV detection as 'Img.Dropper.PhishingLure' strongly indicates a phishing or deceptive purpose. The embedded URL, though benign, is present within the document structure.

Heuristics 3

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 252,416 bytes but its declared streams total only 24,693 bytes — 227,723 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.