Office (OLE) / .DOC malware analysis — malicious · 250ff87ba85b2cb7

MALICIOUS

Office (OLE) / .DOC

228.8 KB

MD5: 3d77fe374ec8175648646ec4ce5eb2b6 SHA-1: ea20edba2914f19542a46415db31cb7872a3cc4a SHA-256: 250ff87ba85b2cb7bd04c9e4442eb08f70d5c1d555347c16addaa0d05bda8cb0

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell

The file is an OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. A critical ClamAV detection for 'Doc.Dropper.Agent-1828513' strongly suggests its malicious nature. Furthermore, the presence of a suspicious cmd.exe invocation and PEB access points towards the execution of a secondary payload, likely a dropper.

Heuristics 4

ClamAV: Doc.Dropper.Agent-1828513 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1828513
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 234,241 bytes but its declared streams total only 94,801 bytes — 139,440 bytes (60%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.