Office (OLE) / .DOC malware analysis — malicious · 2fccd1af455fa835

MALICIOUS

Office (OLE) / .DOC

185.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 5a55cfe2b41066ede14a8eb90640f8da SHA-1: 0936d264d913a91e5423c4e8aaee7ef3938c485e SHA-256: 2fccd1af455fa8352c76d4e2e167316ae49a94d353f6dd7f0d9d201174036f54

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is a Microsoft Word document exhibiting OLE slack anomalies, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of LoadLibrary and GetProcAddress API calls, commonly used by malware to load and execute code. The document body contains heavily garbled text, suggesting it is not intended for direct user interaction but rather to trigger an exploit or load a secondary payload. The combination of these factors points to a malicious document designed to download and execute further stages.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 189,440 bytes but its declared streams total only 94,801 bytes — 94,639 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.