Office (OLE) / .DOC malware analysis — malicious · 1c257988af41b2dc

MALICIOUS

Office (OLE) / .DOC

190.5 KB

MD5: 855cdd269e474e5f873897d64af2aac5 SHA-1: 825ef000d26289e520a2173a41d56b199ba4445b SHA-256: 1c257988af41b2dc7eddb5108f6a17ca7abc357b28a9bb17ea2fd270320ff661

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1059 Command and Scripting Interpreter

The sample is a malicious OLE document exhibiting a significant slack space anomaly, suggesting embedded malicious content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, commonly used by malware to load and execute code. The presence of a NOP sled further supports the likelihood of shellcode execution. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to an unknown family classification.

Heuristics 4

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 195,076 bytes but its declared streams total only 31,351 bytes — 163,725 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.