Office (OLE) / .DOC malware analysis — malicious · 430f7d3cc2e5444b

MALICIOUS

Office (OLE) / .DOC

67.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: b6cf1c6619673909259b01ab662ad228 SHA-1: cd34a3fcbc2c5cde3c7c8887f6e3af06ebfabef8 SHA-256: 430f7d3cc2e5444b9200c90e4840b3626c90f333b4416a83d2f30ac2a82cdb88

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document with a high slack anomaly, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the document's macro attempts to launch an external process. While no document body or script content was available for analysis, the presence of the CreateProcess API reference strongly implies a downloader or dropper functionality.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 68,768 bytes but its declared streams total only 21,151 bytes — 47,617 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.