Malicious Office (OLE) / .AMW — malware analysis report

Static analysis result for SHA-256 3cd85e734c330abe…

MALICIOUS

Office (OLE) / .AMW

175.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 2e5e86260270d5b54f29c4045708d905 SHA-1: 9effde28d4b2244314f7d31f67508bb40e175f94 SHA-256: 3cd85e734c330abea3a9c063ac01c9f06a3c9412e1786d8f35bfd83837aff8d6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample contains a high-severity heuristic firing for CreateProcess API, indicating an attempt to launch an external process. The document body is heavily obfuscated and does not provide clear textual lures. No scripts were extracted from this sample. The OLE slack anomaly suggests potential data hiding or packing.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 179,208 bytes but its declared streams total only 94,801 bytes — 84,407 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.