Office (OLE) / .DOC malware analysis — malicious · 52912dc52acdbf5e

MALICIOUS

Office (OLE) / .DOC

151.5 KB

MD5: b4d6d4d8abe82879539812aeb278836b SHA-1: 9cee0d322a89e6b92b35f45551d98fbe609a57a3 SHA-256: 52912dc52acdbf5edc1ec33460da464b30f5e821a01e76e4065e083e3d760412

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls strongly suggests the document is designed to load and execute shellcode. The OLE slack anomaly indicates a large amount of hidden data, likely the shellcode itself. While no specific family is identified, the techniques used are common for macro-based malware droppers. No document body text or scripts were extracted to provide further context on the specific lure or payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,136 bytes but its declared streams total only 31,351 bytes — 123,785 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.