Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 32a559d455f31402…

MALICIOUS

Office (OLE) / .DOC

157.5 KB
MD5: 84a18e75e16286aa713d0e4560b8c334 SHA-1: 1f82ede7ff10e885396bde8b0dbdf3b26e19c224 SHA-256: 32a559d455f31402df815f59c17a232d860d9632383b5f8989b8a75e428f4e5a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document with a large slack space anomaly, indicating potential obfuscation or embedded content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, common for dynamically loading malicious code. The document body is heavily corrupted, preventing analysis of its specific lure, but the presence of these API calls strongly suggests an attempt to download and execute a second-stage payload.

Heuristics 3

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 161,280 bytes but its declared streams total only 31,351 bytes — 129,929 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.