Office (OLE) / .DOC malware analysis — malicious · 2ca68bafecbaf60f

MALICIOUS

Office (OLE) / .DOC

92.0 KB Created: 2009-10-05 08:23:00 Authoring application: Microsoft Word 9.0

MD5: d2374a2f29f84361819dc2ba3a6f8044 SHA-1: 883e6e86d072b1bddee70d90eafa00d9972ef2a0 SHA-256: 2ca68bafecbaf60f741aee9805f5d3578891da6a3ef37bf47c4f524a43ab560f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is an OLE document with a significant amount of slack space, suggesting hidden or embedded content. Heuristics indicate PEB access and API hash resolution, common techniques for evading detection. The document body contains what appears to be a list of media contacts with names, birth dates, and phone numbers, which could be used in a social engineering pretext. No scripts were extracted, and no specific IOCs were identified.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 94,208 bytes but its declared streams total only 39,082 bytes — 55,126 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.