Office (OLE) / .DOC malware analysis — malicious · 5961a8d0369795c6

MALICIOUS

Office (OLE) / .DOC

142.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 30455eb09b9d1b4e202d7f4904fd045f SHA-1: e5092d6fac43f9a1c63589745f78ca17de8aadda SHA-256: 5961a8d0369795c6574fa53156e2e4128abe34acdc9bf34d5defbe22a1c32642

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of APIs commonly used for dynamic code loading and execution (VirtualAlloc, LoadLibrary, GetProcAddress). While no specific script content was extracted, the combination of these factors suggests the document is designed to execute arbitrary code, likely for downloading and running a second-stage payload. The embedded URL, though benign, is noted.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 145,824 bytes but its declared streams total only 21,151 bytes — 124,673 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.