Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 71fe5cd529a7f09c…

MALICIOUS

Office (OLE) / .DOC

64.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 66c3c685853ec5d7c1da4496e9efb5e7 SHA-1: 613f5e7a7c1fb97415c3430e5650c960fa0f4d6a SHA-256: 71fe5cd529a7f09cdf713202f4ea43fd52c78453413c5914a0aaa3956d8793e2
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is a malicious OLE document that contains a reference to the CreateProcess API, indicating an attempt to launch an external process. The document also contains embedded URLs that could be used for further malicious activity. The large slack space in the OLE structure is also anomalous.

Heuristics 3

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 65,952 bytes but its declared streams total only 21,151 bytes — 44,801 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.5iantlavalamp.com/h
    • http://www.5iamas-microsoft-com:office:smarttags

Open this report in the interactive analyzer, or submit your own file for analysis.