Office (OLE) / .DOC malware analysis — malicious · 2072a1635e13a7a7

MALICIOUS

Office (OLE) / .DOC

62.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: dab0c75b7d93f67cac6c5f1e8fd147dc SHA-1: b297a995c468afbbffcb5ceae978f5a00831a515 SHA-256: 2072a1635e13a7a786aa8f601776d081dabb34b654d8d69bd4b3e1aa3a2bb432

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is an OLE document with a high slack anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic firing for CreateProcess API suggests the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or delivery mechanism.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 63,648 bytes but its declared streams total only 21,151 bytes — 42,497 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.