Office (OLE) / .DOC malware analysis — malicious · 3d347655b9dfe80f

MALICIOUS

Office (OLE) / .DOC

61.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: c878400a014bfcecee8f386335091108 SHA-1: dcf827c85eafb21894369d253f413878d14550dc SHA-256: 3d347655b9dfe80f5e198b2ad6c52957a506308f46d8bc9443ed69e786da701c

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is detected as a dropper by ClamAV. Heuristics indicate the use of XOR-encoded strings and the CreateProcess API, suggesting the execution of a secondary payload. The large slack space in the OLE structure is also anomalous. While no document body or script content was available for analysis, the presence of these indicators points to a malicious dropper.

Heuristics 6

XOR-encoded strings (key 0x12) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x12: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileA'
ClamAV: Doc.Dropper.Agent-7084144-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7084144-0
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 63,392 bytes but its declared streams total only 21,151 bytes — 42,241 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.