Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2f35b47027705eb5…

MALICIOUS

Office (OLE) / .DOC

91.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 98a788a012940aba91036d35cf9e546a SHA-1: a3c0fd282079ba5795b56a7d2af2d556d7a56ab2 SHA-256: 2f35b47027705eb5d42fa295833a630942445cbab5896777aa609b783cc57e54
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly and contains an embedded PE executable. The presence of LoadLibrary and GetProcAddress API references suggests the embedded executable is likely a payload designed to be loaded and executed. The embedded executable itself is the primary IOC.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 93,604 bytes but its declared streams total only 21,151 bytes — 72,453 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a2a0.exe
5625082edc59416cd75e8ec827f0fc7ab866bc1205dab088e0b51fc864ee3e4c		 embedded-pe Office MZ+PE at offset 0xA2A0 51972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.