Office (OLE) / .DOC malware analysis — malicious · 580ff07d795b4a53

MALICIOUS

Office (OLE) / .DOC

194.7 KB

MD5: 17510b3600186139bceeb9603bfc778a SHA-1: 62bb22ec000d8b798095c45868c1a5da1d2e45e7 SHA-256: 580ff07d795b4a53bb9afd8d7cc9afff55c93cf11f0f4fb671e45693100e4835

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document containing a NOP sled and references to CreateProcess and GetProcAddress APIs, indicating potential shellcode execution. The document body text is nonsensical and does not provide a clear lure. The presence of an embedded URL, though benign, suggests an attempt to download or interact with external resources. The high percentage of slack space in the OLE structure is also suspicious.

Heuristics 5

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 199,374 bytes but its declared streams total only 31,351 bytes — 168,023 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.