Office (OLE) / .DOC malware analysis — malicious · 347905cb3bd17d12

MALICIOUS

Office (OLE) / .DOC

590.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: abcead8f9e6c5098df16bc9765b36b9f SHA-1: d441308b467de44383e2b7cb73db2d0d04db0261 SHA-256: 347905cb3bd17d12efdd2fa0882b0b170159300d1405a678a0f7ed753d3cd9c3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The document exhibits characteristics of an advance-fee scam, referencing lottery winnings or parcel delivery requirements to deceive the user. The presence of a CreateProcess API reference suggests the document may attempt to execute malicious code. While no scripts were extracted, the heuristic firings and document content strongly indicate a social engineering attack aimed at financial fraud.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 604,576 bytes but its declared streams total only 21,151 bytes — 583,425 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.