Office (OLE) / .DOC malware analysis — malicious · 20cb2fd7c35b9a47

MALICIOUS

Office (OLE) / .DOC

399.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: a62ad9e8b0a879e17635318d2137939e SHA-1: 2557369bd1e43c1a813920807a075e68d4b7e89a SHA-256: 20cb2fd7c35b9a47d2f2627f0e6b58ddab6a686bf94ea5aa44fa293033192b71

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055.012 Process Hollowing

The OLE document exhibits a significant slack space anomaly, suggesting embedded malicious content. High-severity heuristics indicate the use of memory manipulation APIs like VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, commonly employed for loading and executing shellcode or second-stage payloads. The specific techniques suggest a process hollowing or similar memory injection attack. Without extracted scripts or URLs, the exact payload and delivery mechanism remain undetermined, leading to an 'unknown family' classification.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 409,358 bytes but its declared streams total only 94,801 bytes — 314,557 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.