Office (OLE) / .DOC malware analysis — malicious · 4d643155f62b5e94

MALICIOUS

Office (OLE) / .DOC

131.5 KB

MD5: 7fb82271808c647a862f4eadd735050a SHA-1: 529e2682e49ebc40d4e7ca10c759d54900378338 SHA-256: 4d643155f62b5e94b15ba9f6903804f5890512ced28314b5cff838046c907e39

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, cmd.exe, LoadLibrary, and GetProcAddress, indicating a strong likelihood of malicious code execution. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. While no specific document body content or scripts were extracted to detail the exact payload, the API calls strongly suggest the document is a loader for further malicious activity.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 134,656 bytes but its declared streams total only 31,351 bytes — 103,305 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.