Office (OLE) / .DOC malware analysis — malicious · 75bb617b9a5fbd20

MALICIOUS

Office (OLE) / .DOC

93.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 2f5fcbaea71c37c4affa9d533f010fcc SHA-1: 58bb569af4d37f111df8a97dad6954678e98d7d2 SHA-256: 75bb617b9a5fbd205b8706481f53f03b610c4c40e83afe181973278b3a71a62d

82 Risk Score

Malware Insights

The sample is a malicious OLE document that contains a reference to the CreateProcess API, indicating an attempt to launch an external process. The large slack space in the OLE structure is also anomalous. No specific malware family could be identified, and no executable content or network indicators were directly extracted.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 95,648 bytes but its declared streams total only 21,151 bytes — 74,497 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.