Office (OLE) malware analysis — malicious · f09cf5c6fc753de7

MALICIOUS

Office (OLE)

72.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: c49bbb492d443f1ab0f5de399ba1e1e1 SHA-1: ef6531bf31a008390cfc0b628cd46aa406787649 SHA-256: f09cf5c6fc753de77cf9763a94010bbf82ace10254711c418955ea972aeb43c4

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1055 Process Injection

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristic firings for VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress strongly suggest the file is designed to dynamically load and execute code, a common technique for malware droppers or loaders. No document body text or scripts were extracted, limiting further analysis of the specific payload or lure.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 73,744 bytes but its declared streams total only 21,151 bytes — 52,593 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.