Office (OLE) / .DOC malware analysis — malicious · 455b0984773a837f

MALICIOUS

Office (OLE) / .DOC

175.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 75f67487844c51f61f10a1604c0e6438 SHA-1: 9851b3d1ca18e59339003d0642c5351c6cc1e026 SHA-256: 455b0984773a837fa87e63aa305dd2ebc30f7831069af50ce65e748c07971806

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1204.002 Malicious File T1071.001 Web Protocols T1105 Ingress Tool Transfer T1087.001 Local Accounts

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, and cmd.exe invocation, indicating an attempt to execute arbitrary code. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. While no specific URLs or scripts were extracted, the presence of these API calls strongly suggests the document is designed to download and execute a second-stage payload, likely via command-line execution.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 179,200 bytes but its declared streams total only 94,801 bytes — 84,399 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.