Office (OLE) / .DOC malware analysis — malicious · 51db012b4acd979a

MALICIOUS

Office (OLE) / .DOC

83.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 57b3355bf4af1c437b78c87611d18840 SHA-1: b422609bf27ad3b506c587b5bd86d04319de6033 SHA-256: 51db012b4acd979a29231710ad6efd97ddd69144971d902c71a31874fbb0cbe8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly, suggesting the presence of hidden or packed code. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, commonly employed by malware to allocate memory and load malicious libraries. While the embedded URL is benign, the combination of these API calls points towards a malicious payload execution. No scripts were extracted from this sample.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 85,664 bytes but its declared streams total only 21,151 bytes — 64,513 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.