Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef15e9aeb5758620…

MALICIOUS

Office (OLE)

141.8 KB
MD5: f2f87e8fa57f0ac0e2af34652bd06f91 SHA-1: e44ddb2b7b832702553c36b3625f9821dfd800ec SHA-256: ef15e9aeb57586204494c8ad1be223ee5cdb479a4029c41f8f6e23c5461a3552
180 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The OLE document exhibits a significant slack space anomaly and contains an embedded PE executable. The presence of LoadLibrary and GetProcAddress API references suggests dynamic loading of malicious code. The embedded executable is the primary indicator of malicious intent, likely serving as a dropper for further stages.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 145,156 bytes but its declared streams total only 31,351 bytes — 113,805 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015000.exe
f79d2ce00f0fa557f6b88b808ac83d5bafbc333a55f117dc2de17d1b56a430bc		 embedded-pe Office MZ+PE at offset 0x15000 59140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.