Office (OLE) / .DOC malware analysis — malicious · 74253311a6409509

MALICIOUS

Office (OLE) / .DOC

55.8 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: eb91fdfe0c817f30fca0a41e405b3a35 SHA-1: dc63799e23bf0c74eb8cfc705a5a8578cb1725e7 SHA-256: 74253311a6409509f7539170603290f9420912112beb85b6fb677f3c575171bd

300 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The sample exhibits characteristics of a malicious Office document, including a NOP sled, calls to memory allocation and protection APIs (VirtualAlloc, VirtualProtect), and LoadLibrary/GetProcAddress, suggesting the execution of shellcode. The ClamAV detection 'Win.Trojan.Packed-74' further supports its malicious nature. The presence of these indicators points towards an exploitation attempt to download and execute a secondary payload.

Heuristics 8

ClamAV: Win.Trojan.Packed-74 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Packed-74
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 57,129 bytes but its declared streams total only 16,486 bytes — 40,643 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.