Office (OLE) / .DOC malware analysis — malicious · 1ddc42c0bac403e2

MALICIOUS

Office (OLE) / .DOC

220.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 433277047395222227e1893c7d35b2e5 SHA-1: e4687cb95f9b5f699585eb2cde7d1d6eefcbfa60 SHA-256: 1ddc42c0bac403e28c8357676f62bfa92d6391e5d83accae8dc69c527f1e6b1e

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter T1059.003 Windows Command Shell

The sample exhibits high-confidence heuristic firings for CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, indicating a strong intent to execute code. The OLE slack anomaly suggests potential obfuscation or padding within the document structure. While no specific document body content or scripts were extracted, the API calls strongly suggest the file is designed to download and execute a secondary payload.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 225,280 bytes but its declared streams total only 94,801 bytes — 130,479 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.