Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0da5c76e17918eb2…

MALICIOUS

Office (OLE) / .DOC

62.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 18d3c1b27a744e778a08e16188370dd8 SHA-1: e1a5592263855342e4a723bab47cfbf104a0afee SHA-256: 0da5c76e17918eb2f98402b3c2ebb16a24da18c1a37c4b1a32cf25526d4b2cf8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious OLE document that contains a reference to the CreateProcess API, indicating an attempt to execute external code. The large slack space in the OLE structure is also anomalous. Without a document body or script content, the exact payload and delivery mechanism are unclear, but the CreateProcess API call strongly suggests a downloader or dropper functionality.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 63,648 bytes but its declared streams total only 21,151 bytes — 42,497 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.