Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1e237d71a6cf1dfa…

MALICIOUS

Office (OLE) / .DOC

60.3 KB Created: 2005-05-27 09:07:00 Authoring application: Microsoft Word 10.0
MD5: c113cd20a764a84389536f8c072445f8 SHA-1: e750125ef3cf316f935f40eceb1027bec3986933 SHA-256: 1e237d71a6cf1dfa2effd80db9e126e34d552c63c75523dfa59897077057395a
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. Heuristics indicate the presence of LoadLibrary and GetProcAddress APIs, suggesting the macro attempts to load and execute a payload. The large slack space in the OLE structure is also indicative of obfuscation techniques often used to hide malicious code. No specific family could be identified.

Heuristics 5

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 61,767 bytes but its declared streams total only 21,704 bytes — 40,063 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b561f6842168b0dbd5b95cccbec82c422a6330174acca9c971b70fc752d8f934		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 567 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.