Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5190b5015cf50a16…

MALICIOUS

Office (OLE) / .DOC

167.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: a4b2f0afc5954b11fec4428d7f70e984 SHA-1: 2f870cea9f49875b4c0fe01b8080ee166e5f4b0a SHA-256: 5190b5015cf50a1683121e4efbce00420c2e6202cd6324e7f028512d998b0f73
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The OLE document exhibits a significant slack space anomaly and contains an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, commonly employed by malware to load and execute payloads. The embedded executable is the primary indicator of malicious intent, suggesting a delivery mechanism for a secondary stage payload.

Heuristics 5

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 171,780 bytes but its declared streams total only 94,801 bytes — 76,979 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c600.exe
849ebb4ab4b00e70231ee7b67fb5d0f2248ee3a8b509cc3638843ff6a724009a		 embedded-pe Office MZ+PE at offset 0x1C600 55556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.