Office (OLE) / .DOC malware analysis — malicious · 3fc8f114bcd92387

MALICIOUS

Office (OLE) / .DOC

185.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 073171721217892c1beb51d2920f96df SHA-1: 468ca780e840ff9eaf8e39e3e2b9a87f2e79eda6 SHA-256: 3fc8f114bcd92387221a7fcc67d8db55155ac9af9b4dafa95a0132d893d38df5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of API calls like LoadLibrary and GetProcAddress, commonly used by malware to load and execute code. The document body is heavily obfuscated and unreadable, suggesting it's designed to hide malicious intent rather than convey information. The combination of these factors points to a document designed to exploit vulnerabilities and download further payloads.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 189,440 bytes but its declared streams total only 94,801 bytes — 94,639 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.