Office (OLE) / .DOC malware analysis — malicious · 2d91775dbfbff57c

MALICIOUS

Office (OLE) / .DOC

963.0 KB Created: 1996-02-12 19:56:00 Authoring application: Microsoft Word 6.0

MD5: 9f9b6c206821ed9c5598cc9ad504fe6e SHA-1: 16a1270e08fc67099ec8a0efd2015ed5bab11f83 SHA-256: 2d91775dbfbff57c9f35753de9f9fb203d925d989cfae9be225fa0cf843e715c

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1071 Application Layer Protocol

The sample exhibits high-confidence heuristics for heap spraying and references to LoadLibrary and GetProcAddress APIs, suggesting the execution of shellcode. The push-string heuristic indicates a reference to 'explorer.exe', likely for process injection or execution. The embedded URL is likely used to download and execute a second-stage payload. The document body content is benign and appears to be a lure.

Heuristics 6

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes
x86 push-string-call medium SC_PUSH_STRING

Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://192.168.1.133/index.php?arch=i386&os=windows&version=unknown&c=BhU49IaF&t=4a42d6864cedc797&random=1024393264

Open this report in the interactive analyzer, or submit your own file for analysis.