Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 34f648433c7206e4…

MALICIOUS

Office (OLE) / .DOC

108.0 KB
MD5: cd7f1c39124a228d9ea905375de0bfad SHA-1: a76ef0f1997fe05f9e0b11690e6282cd0104884e SHA-256: 34f648433c7206e4e5ac41cb44426a8101464fc16d792530f876e4958d7bca06
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1204.002 Malicious Link

The presence of OLE_SLACK_ANOMALY and references to WinExec and CreateProcess APIs strongly suggest the document is designed to execute arbitrary code. The NOP sled further indicates shellcode execution. The document body contains embedded object information, which is a common lure for exploiting Office vulnerabilities. No specific family is identifiable from the provided evidence.

Heuristics 4

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 110,552 bytes but its declared streams total only 31,351 bytes — 79,201 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.