Office (OLE) / .DOC malware analysis — malicious · 616e7d0891fc223d

MALICIOUS

Office (OLE) / .DOC

369.5 KB

MD5: b1c84e706d3e23e7bb6ca5d48cd2272d SHA-1: 11690aa7c8b37a040bb32ac1a06ba23a583343b7 SHA-256: 616e7d0891fc223d4fd1e6b5db80f6816b2ba15656ee4dbbbab5b6245edb962e

200 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document exhibiting a large slack space anomaly and containing an EMF object within its EPRINT stream. Heuristics indicate the presence of a NOP sled and calls to LoadLibrary and GetProcAddress APIs, strongly suggesting the exploitation of a client-side vulnerability to execute arbitrary code. The document body contains Chinese text related to file construction and embedded objects, but does not provide direct instructions or lures.

Heuristics 5

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 378,372 bytes but its declared streams total only 31,351 bytes — 347,021 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.