Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 3c505b80b7fa075f…

MALICIOUS

Office (OLE) / .DOC

175.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 8e81584775560db38c530f3657b9bb6e SHA-1: 4b45718126d3f4068ad895173ec27d3dd23f72eb SHA-256: 3c505b80b7fa075f7a3228bc39c199e47aa81890c5e6fecdbf81e0d7f65a430e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a malicious OLE document. A high-severity heuristic firing indicates the use of the CreateProcess API, suggesting an attempt to launch an external process. The document body contains heavily obfuscated and unreadable content, providing no direct clues about the lure or payload. The OLE slack anomaly suggests potential data hiding or padding, common in malicious documents.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 179,200 bytes but its declared streams total only 94,801 bytes — 84,399 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.