Office (OLE) / .DOC malware analysis — malicious · 420f290de00e02dd

MALICIOUS

Office (OLE) / .DOC

122.3 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 0ab4f9d4999a90724036fee8b14c688c SHA-1: d79f2840ffb6d8f2da6db76ccf198671bc0b19e2 SHA-256: 420f290de00e02ddd14551a51e9583d3bd512efcb56628159d9d86008e982df5

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1071.001 Web Protocols

The OLE document exhibits a significant slack space anomaly, suggesting the presence of hidden or obfuscated content. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, commonly employed by malware to load and execute shellcode or download additional payloads. The lack of document body text or script content prevents a more precise determination of the attack's specific lure or the exact nature of the payload, leading to an unknown family classification.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 125,245 bytes but its declared streams total only 21,151 bytes — 104,094 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.