Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2cb4571b6341ded4…

MALICIOUS

Office (OLE) / .DOC

162.4 KB
MD5: dfb5521b0d3bedef24062443b01d1315 SHA-1: 644b0320b2b00888ea05a1cc822fb7de93034715 SHA-256: 2cb4571b6341ded46089bb1f9158558af51ce1971e11bc2a3465114a901a4909
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The OLE document exhibits a significant slack space anomaly, a common characteristic of packed or obfuscated malicious documents. Heuristic firings indicate the presence of APIs typically used for code injection and execution, such as VirtualAlloc, LoadLibrary, and GetProcAddress. These point towards the document's likely intent to download and execute a second-stage payload.

Heuristics 4

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 166,333 bytes but its declared streams total only 31,351 bytes — 134,982 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.